AUTHENTICATED 
U.S. GOVERNMENT 
INFORMATION ^ 


S. Hrg. 112-785 

THE NEED FOR PRIVACY PROTECTIONS: IS 
INDUSTRY SELF-REGULATION ADEQUATE? 


HEARING 

BEFORE THE 

COMMITTEE ON COMMERCE, 
SCIENCE, AND TRANSPORTATION 
UNITED STATES SENATE 

ONE HUNDRED TWELFTH CONGRESS 

SECOND SESSION 


JUNE 28, 2012 


Printed for the use of the Committee on Commerce, Science, and Transportation 



U.S. GOVERNMENT PRINTING OFFICE 
81-711 PDF WASHINGTON : 2013 


For sale by the Superintendent of Documents, U.S. Government Printing Office 
Internet: bookstore.gpo.gov Phone: toll free (866) 512—1800; DC area (202) 512-1800 
Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC 20402-0001 


SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION 
ONE HUNDRED TWELFTH CONGRESS 
SECOND SESSION 


JOHN D. ROCKEFELLER IV, West Virginia, Chairman 


DANIEL K. INOUYE, Hawaii 
JOHN F. KERRY, Massachusetts 
BARBARA BOXER, California 
BILL NELSON, Florida 
MARIA CANTWELL, Washington 
FRANK R. LAUTENBERG, New Jersey 
MARK PRYOR, Arkansas 
CLAIRE McCASKILL, Missouri 
AMY KLOBUCHAR, Minnesota 
TOM UDALL, New Mexico 
MARK WARNER, Virginia 
MARK BEGICH, Alaska 


KAY BAILEY HUTCHISON, Texas, Ranking 

OLYMPIA J. SNOWE, Maine 

JIM DeMINT, South Carolina 

JOHN THUNE, South Dakota 

ROGER F. WICKER, Mississippi 

JOHNNY ISAKSON, Georgia 

ROY BLUNT, Missouri 

JOHN BOOZMAN, Arkansas 

PATRICK J. TOOMEY, Pennsylvania 

MARCO RUBIO, Florida 

KELLY AYOTTE, New Hampshire 

DEAN HELLER, Nevada 


Ellen L. Doneski, Staff Director 
James Reid, Deputy Staff Director 
John Williams, General Counsel 
Richard M. Russell, Republican Staff Director 
David Quinalty, Republican Deputy Staff Director 
Rebecca Seidel, Republican General Counsel and Chief Investigator 


(II) 



CONTENTS 


Page 

Hearing held on June 28, 2012 1 

Statement of Senator Klobuchar 1 

Statement of Senator Ayotte 2 

Statement of Senator Rockefeller 45 

Statement of Senator Thune 48 

Witnesses 

Bob Liodice, President and CEO, Association of National Advertisers, Inc. 

on Behalf of The Digital Advertising Alliance 3 

Prepared statement 5 

Alex Fowler, Chief Privacy Officer, Mozilla 12 

Prepared statement 14 

Peter Swire, C. William O’Neill Professor of Law, The Ohio State University .. 19 

Prepared statement 21 

Berin Szoka, President, TechFreedom 29 

Prepared statement 31 

Appendix 

Statement of Computer & Communications Industry Association 55 


(III) 




THE NEED FOR PRIVACY PROTECTIONS: IS 
INDUSTRY SELF-REGULATION ADEQUATE? 


THURSDAY, JUNE 28, 2012 

U.S. Senate, 

Committee on Commerce, Science, and Transportation, 

Washington, DC. 

The Committee met, pursuant to notice, at 10 a.m. in room SR- 
253, Russell Senate Office Building, Hon. Amy Klobuchar, pre- 
siding. 

OPENING STATEMENT OF HON. AMY KLOBUCHAR, 

U.S. SENATOR FROM MINNESOTA 

Senator Klobuchar. Call the hearing to order. Thank you, ev- 
eryone, for being here. There are a few other things going on in 
Washington, so Senator Ayotte and I are chairing this hearing. I 
wonder why. 

[Laughter.] 

Senator Klobuchar. But I know Chairman Rockefeller will be 
here soon. And I think you all know this is a very important sub- 
ject to this committee. I see that Senator Thune is also here with 
us. 

This is an important issue for the future of commerce in the U.S., 
and more and more of our daily lives, as we all know, as I checked 
Twitter and Facebook already this morning, more and more of our 
daily lives are connected to the Internet. 

I believe that consumers need to have a larger voice when it 
comes to their online experience and their data, and that is why 
Chairman Rockefeller has worked with the FTC to create Federal 
policy that protects consumers’ data online. And I hope that this 
committee will continue to work together to find the appropriate 
legislative balance. 

I’m also pleased to see the efforts of the industry to self-regulate 
its practices regarding data collection and tracking. And I believe 
that industry actions are moving this privacy conversation forward 
in a positive way. 

I hope we’ll be able to work together in the Commerce Committee 
on consumer data privacy legislation going forward. And I would 
also like to commend the FTC and the Department of Commerce 
for keeping these issues in the forefront this year. 

We always have to be as sophisticated as those that are trying 
to play around with some of the rules. And I think that we have 
tried to track that, but, most importantly, we’ve also worked with 
the industry to track that. 

So, with that, Senator Ayotte, would you like to say a few words? 

( 1 ) 



2 


STATEMENT OF HON. KELLY AYOTTE, 

U.S. SENATOR FROM NEW HAMPSHIRE 

Senator Ayotte. I would. Thank you, Madam Chair. 

Last month, in this committee, we had the opportunity to hear 
from the FTC on privacy, so I look forward to hearing an additional 
perspective from the witnesses that are here before us today. So 
thank you for being here with us, including representatives from 
the technology and advertising industries and experts from the aca- 
demic community. 

This debate centers on how online information is legally collected 
and disseminated for commercial usage. It’s critical that we first 
understand this process before we begin to debate how privacy 
should be regulated or legislated. 

This field is evolving so rapidly that we must proceed cautiously 
and carefully before diving into any legislation. It is imperative 
that any legislation we consider guarantees that usage of collected 
data is not hampered by overly restrictive and burdensome Federal 
and regulatory policies. 

As we all know, e-Commerce is a vibrant, thriving sector of the 
global economy. The Information Technology and Innovation Foun- 
dation estimated that the annual global economic benefit of the 
commercial Internet is $1.5 trillion. This is more than medicine, in- 
vestment in renewable energy, and government investment in R&D 
combined. 

The Internet generates at least $300 billion of economic activity 
annually, accounting for an astonishing 2 percent of the United 
States GDP. 

The Kelsey Group estimates that Internet advertising, which was 
$45 billion in 2007, is expected to grow to $147 billion by the end 
of 2012. These statistics are just the tip of the iceberg and will con- 
tinue to grow exponentially. 

However, we are not here today to talk about statistics. The 
broader point here is that we are seeing the online world flourish, 
and that reality dictates that we find the proper balance between 
ensuring e-commerce has the tools it needs to thrive, innovate, and 
create jobs, and making sure our regulatory climate is one that pro- 
vides adequate consumer safeguards. 

As we all know, Microsoft set off quite a firestorm when it an- 
nounced Internet Explorer 10 will have its “do not track” compo- 
nent default set to opt out of tracking. Whether or not this is the 
best policy shouldn’t be up to Congress to determine. 

The beauty of living in a free enterprise society is that the mar- 
ket has a way of determining what works and what does not, and 
what is popular with consumers and what is not. And at the end 
of the day, there is enough competition in the marketplace for con- 
sumers to have the opportunity to decide what works best for them 
without congressional interference. 

Last, we must also acknowledge that there are certain benefits 
to data collection for consumers. For instance, we all enjoy free e- 
mail, countless free streaming videos, and free news services, just 
to name a few of the free online benefits that consumers enjoy. 
This is all possible because the collection of data leads to targeted 
advertising to pay for these services, and, more importantly, con- 
sumers choose to use these services because they value them. 



3 


I know that some members of this committee are aggressively 
calling for stringent privacy legislation. But as I mentioned, we 
must not act too quickly or haphazardly, and we need to be 
thoughtful in our approach in striking a proper balance. 

This is a fast-moving field, and I’m concerned that hastily writ- 
ten legislation could be outdated by the time the ink dries and it 
becomes law. 

I look forward to a robust discussion today with our distin- 
guished panel. And I yield back the balance of my time. Thank you, 
Madam Chair. 

Senator Klobuchar. Thank you very much. 

Now we’re going to hear from our panel of witnesses. I will intro- 
duce them all and then have them give their opening statement. 

First, Mr. Bob Liodice, who is the President and CEO of the As- 
sociation of National Advertisers. 

Second, Mr. Alex Fowler, who is the Global Privacy and Policy 
Leader with Mozilla. 

Third, Mr. Peter Swire, who is the C. William O’Neill Professor 
of Law with Ohio State University. 

And then, fourth, Mr. Berin Szoka, who is the President of 
TechFreedom. 

Thank you all for being here, and we will begin with Mr. Liodice. 
Thank you. 

STATEMENT OF BOB LIODICE, PRESIDENT AND CEO, 
ASSOCIATION OF NATIONAL ADVERTISERS, INC. ON BEHALF 
OF THE DIGITAL ADVERTISING ALLIANCE 

Mr. Liodice. Good morning, Senators. Thank you for the oppor- 
tunity to be here, and thank you for your opening remarks. 

My name is Bob Liodice. I am President and Chief Executive Of- 
ficer of the Association of National Advertisers, also known as the 
ANA. We were founded in 1910, and our membership includes 460 
member companies that represent over 10,000 brands that collec- 
tively spend over $250 billion every year in marketing, communica- 
tions, and advertising. 

Today, I am pleased to testify on behalf of the Digital Adver- 
tising Alliance, also known as the DAA. The DAA is a nonprofit or- 
ganization of leading companies and trade associations, including 
the ANA, the American Association of Advertising Agencies, the Di- 
rect Marketing Association, the Interactive Advertising Bureau, the 
American Advertising Federation, and the Network Advertising 
Initiative. Collectively, these associations represent over 5,000 cor- 
porations. 

And my written testimony provides greater detail, but please let 
me highlight a few key points. 

Let me begin by stating very clearly: our self-regulatory system 
works. 

I’ve learned a long time ago not to confuse effort with results. 
Senators, we have results that few, if any, can claim. We have built 
and implemented a system that is operating and is effective. 

Four years ago, we began this journey when 5,000 companies 
came together, recognizing the enormity and complexity of the 
challenge. We agreed that the pathway to success was through a 
highly perfected and enormously effective self-regulatory body. 



4 


It was created in 1971. It’s administered by the Council of Better 
Business Bureaus. It is heralded by many Federal Trade Commis- 
sion chairs as one of the best self-regulatory processes in the U.S. 
It’s dynamic. It’s fluid. It’s evolutionary. And it’s respected. And it 
is beyond reproach and without peer. 

The DAA was built from this self-regulatory body to tackle the 
challenges and complexities of interest-based advertising, and to 
address the concerns that you all expressed through legislators, 
agencies, privacy groups, and consumers. 

And we have succeeded. Our business system was created from 
a disciplined, seven-prong strategy that has had significant mar- 
ketplace impact that has been enormously successful in a very 
short span of time. 

Those seven planks are principles that were crafted and ap- 
proved in July 2009, which includes consumer education, enhanced 
notice, innovative choice mechanisms, data security, sensitive data 
protection, consent for policy changes, and, most importantly, en- 
forcement. 

The second plank is monitoring. And that required an invest- 
ment to ensure compliance with our principles that were estab- 
lished in 2009. 

Importantly, the third plank is reporting to ensure that we can 
provide the necessary information to enforcement bodies. 

And then following that is accountability, to ensure that those 
people who are with our program are absolutely compliant. 

We’ve created the fifth plank, which is enforcement. 

Sixth is education, which I will talk about in just a moment. 

And then, seventh, and something that we don’t always give a 
lot of credence to: it’s evolutionary. To address the point that you 
made about technology before, this is continuing to evolve. And we 
have to be on our game to keep up with the pace of changes that 
are taking place. 

As I said at the beginning, I’ve learned a long time ago not to 
confuse effort with results, but we have both. The system is oper- 
ational. It works and works well. Our effectiveness is rapidly grow- 
ing. And we’re structured to evolve to address new challenges. 

Let me address some of the progress that we’ve made. The exist- 
ing DAA program clearly shows the merits of self-regulation. It is 
easy for consumers, and it works. As this committee is aware, the 
cornerstone of the DAA program is our ubiquitous advertising icon, 
which appears right in the chart over here. 

Consumers can click on this icon to access more information in 
a simple, universal tool for existing choice, as shown here. Through 
this choice tool, consumers can opt out for all participating compa- 
nies with a single click or can opt out for specific companies. 

All the DAA’s self-regulatory principles are backed by robust en- 
forcement mechanisms through the Council of Better Business Bu- 
reaus and the Direct Marketing Association. 

Several key milestones: The icon is licensed by hundreds of com- 
panies and served in over a trillion ad impressions each month. We 
believe that virtually all U.S. consumers are being exposed to the 
icon and offered choice. 

More than 1 million consumer opt-outs have been registered 
under the DAA principle since January 2011, which clearly shows 



5 


that the program is enabling consumers to exercise their individual 
choices. 

Next, the DAA’s release tools have enabled persistent consumer 
choices in Chrome, Firefox, and Internet Explorer browsers, and 
these tools respond to concerns that consumers could unintention- 
ally change their preferences by erasing cookies. 

And last, we believe that consumers need to be educated about 
the program. So in January 2012, the DAA launched a major con- 
sumer education program, designed by McCann Erickson World- 
wide, with a brand new website at www.YourAdChoices.com that 
features educational videos and access to DAA’s uniform choice 
mechanism. This website is averaging over 1 million visitors each 
month. 

We’ve done a lot. We’ve accomplished a lot. And a lot of that is 
embodied in the recognition that we received from the White House 
and the FTC in a ceremony here in February. 

Thank you for inviting me to testify before the Committee. And 
I look forward to any questions you may have. 

[The prepared statement of Mr. Liodice follows:] 

Prepared Statement of Bob Liodice, President and CEO, Association of 

National Advertisers, Inc. on Behalf of The Digital Advertising Alliance 

Chairman Rockefeller, Ranking Member Hutchison, and Members of the Com- 
mittee, good morning and thank you for the opportunity to speak at this important 
hearing. 

My name is Bob Liodice. I am President and Chief Executive Officer of the Asso- 
ciation of National Advertisers (“ANA”). Founded in 1910, ANA’s membership in- 
cludes 457 companies with 10,000 brands that collectively spend over $250 billion 
every year in marketing communications and advertising. ANA strives to commu- 
nicate marketing best practices; lead industry initiatives; influence industry prac- 
tices; manage industry affairs; and advance, promote, and protect all advertisers 
and marketers. Today, I am pleased to testify on behalf of the Digital Advertising 
Alliance (“DAA”) and to report to the Committee on the substantial progress of our 
Self-Regulatory Program. 

The DAA is a non-profit organization of leading companies and trade associations 
including the Association of National Advertisers (ANA), the American Association 
of Advertising Agencies (4A’s), The Direct Marketing Association (DMA), the Inter- 
active Advertising Bureau (IAB), the American Advertising Federation (AAF) and 
the Network Advertising Initiative (NAI). The DAA was formed to administer and 
promote the Self-Regulatory Principles for online data collection. The ANA has 
played a leading role in these efforts since their inception. 

My testimony today will describe how the online advertising industry has success- 
fully worked to give consumers transparency about online data collection practices 
and to create easy, uniform, and effective tools for consumers to control online data 
collection. DAA participating companies recognize that consumers may have dif- 
ferent preferences about online advertising and data collection in general, and want 
to build consumer trust in the online experience by ensuring that consumers have 
meaningful choices about how data is collected and used. 

The DAA appreciates the Committee’s interest in exploring how consumer privacy 
concerns should be balanced with consumers’ desire for innovative products and 
services. We believe that industry self-regulation, coupled with consumer education, 
is the best way to strike this balance. Our standards support both privacy and inno- 
vation by enabling consumers to make intentional choices about online data collec- 
tion and use. Industry self-regulation is flexible and can adapt to rapid changes in 
technology and consumer expectations, whereas legislation and government regula- 
tion, particularly in such a rapidly-developing area, can stifle innovation. The busi- 
ness community has a strong incentive to enforce self-regulation against partici- 
pating companies and I will be explaining how accountability is built into our Self- 
Regulatory Program. 



6 


Benefits of Online Advertising 

The Internet is a tremendous engine of economic growth. It has become the focus 
and a symbol of the United States’ famed innovation, ingenuity, inventiveness, and 
entrepreneurial spirit, as well as the venture funding that flows from these enor- 
mously productive and positive efforts. Simply put: the Internet economy and the 
interactive advertising industry create jobs. A 2009 study found that more than 
three million Americans are employed due to the advertising-supported Internet, 
contributing an estimated $300 billion, or approximately 2 percent, to our country’s 
GDP. 1 There is employment generated by this Internet activity in every single con- 
gressional district. 2 

Advertising fuels the Internet economic engine. The support provided by online 
advertising is substantial and growing despite the difficult economic times we are 
presently facing. In 2011, Internet advertising revenues reached a new high of $31 
billion, an impressive 22 percent higher than 2010s full-year number. 3 

Because of this advertising support, consumers can access a wealth of online re- 
sources at low or no cost. Revenues from online advertising facilitate e-commerce 
and subsidize the cost of content and services that consumers value, such as online 
newspapers, blogs, social networking sites, mobile applications, e-mail, and phone 
services. These advertising-supported resources have transformed our daily lives. 

Interest-based advertising is an essential form of online advertising. As the Com- 
mittee knows, interest-based advertising, also called online behavioral advertising 
(“OBA”), is delivered based on consumer preferences or interests as inferred from 
data about Internet activities. Consumers are likely to find interest-based advertise- 
ments more relevant to them, and advertisers are more likely to attract consumers 
that want their products and services. Websites also benefit because interest-based 
advertising garners better responses, allowing websites to earn more revenue — and 
support more content and services — with fewer advertisements. Advertisers have 
demonstrated that they believe that interest-based advertising is particularly effec- 
tive by paying higher rates for such ads. 

Interest-based advertising is especially vital for small businesses because it is effi- 
cient. Smaller advertisers can stretch their marketing budgets to reach consumers 
who may be interested in their offerings. Smaller website publishers that cannot af- 
ford to employ sales personnel to sell their advertising space, and may be less at- 
tractive to large brand-name advertising campaigns, can increase their revenue by 
featuring advertising that is more relevant to their users. In turn, advertising-sup- 
ported resources help other small businesses to grow. Small businesses can use free 
or low-cost online tools, such as travel booking, long-distance calling, and net- 
working services, to help them run their companies. 

Recent research highlights the importance of interest-based advertising. In a re- 
cent congressional hearing on “Internet Privacy: The Impact and Burden of EU Reg- 
ulation,” Professor Catherine Tucker of the MIT Sloan School of Management testi- 
fied about the effect on advertising performance of the European Union’s e-Privacy 
Directive, which limits the ability of companies to collect and use behavioral data 
to deliver relevant advertising. Professor Tucker’s research study found that the e- 
Privacy Directive was associated with a 65 percent drop in advertising performance, 
measured as the percent of people expressing interest in purchasing an advertised 
product. The study also found that the adverse effect of such regulation was greatest 
for websites with content that did not relate obviously to any commercial product, 
such as general news websites. We believe that by creating a worldwide market- 
place of relevant and timely advertising, competition and innovation are also en- 
hanced. 

In general, the data used for interest-based advertising is not personally identifi- 
able, except when consumers choose to provide personally identifiable information. 
Nevertheless, the industry recognizes and respects that some consumers may prefer 
not to receive such advertising or to have data collected about their Web browsing 
even on an anonymous basis. I will be updating the Committee on our industry’s 
tremendous efforts to make sure that consumers have transparency about online 
data collection and can exercise control over their preferences — including opting out, 
if they so desire. 


1 Hamilton Consultants, Inc. with Professors John Deighton and John Quelch, Economic Value 
of the Advertising-Supported Internet Ecosystem, at 4 (June 10, 2009), available at http:! I 
www.iab.net / media / file I Economic-Value-Report.pdf. 

2 Id. at 53. 

3 Interactive Advertising Bureau Press Release, “Internet Ad Revenues Hit $31 Billion in 
2011, Historic High Up 22 percent Over 2010 Record-Breaking Numbers” (April 18, 2012) (re- 
porting results of PricewaterhouseCoopers study). 



7 


II. Browser-Based Choice Mechanisms 

Over the last three and a half years, the DAA has worked with a broad set of 
stakeholders with significant input from businesses, consumers, and policy makers 
to develop a program governing the responsible collection and use of Web viewing 
data. The DAA has championed a balanced approach that both accommodates con- 
sumers’ privacy expectations and supports the ability of companies to deliver serv- 
ices and continue innovating. This balance is essential to allow consumers to con- 
tinue to enjoy the diverse range of websites and services subsidized by relevant ad- 
vertising. Recognizing that DAA members must also provide consumers with appro- 
priate transparency and choices, industry has spearheaded the self-regulatory proc- 
ess with the support of leading companies. 

The DAA’s work led to an event in February at the White House where the Chair- 
man of the F ederal Trade Commission, the Secretary of Commerce and White House 
officials publicly praised the DAA’s cross-industry initiative. The White House recog- 
nized our Self-Regulatory Program as “an example of the value of industry leader- 
ship as a critical part of privacy protection going forward.” 4 At that event, the DAA 
committed to honor browser settings that enable the use of data to continue to ben- 
efit consumers and the economy, while at the same time providing consumers with 
the ability to make their own choices about the collection and use of Web browsing 
data. 

However, a recent technology announcement from Microsoft includes require- 
ments that are inconsistent with the consensus achieved over the appropriate stand- 
ards for collecting and using Web viewing data. The DAA is concerned that this uni- 
lateral decision by one browser maker may ultimately significantly narrow the scope 
of consumer choices, undercut thriving business models, and reduce the availability 
and diversity of the Internet products and services that millions of American con- 
sumers currently enjoy and use at no charge. The resulting marketplace confusion 
will not benefit consumers, and will profoundly adversely impact the broad array 
of advertising-supported services they currently widely use. In fact, as we will now 
detail, it is only the DAA program that provides a comprehensive set of interest- 
based privacy choices to consumers, greater consumer education and information, 
enforcement activities, and true consumer empowerment in the area of OBA pri- 
vacy. 

III. Industry Self-Regulation of Online Data Practices 

A. Implementation Update on DAA’s Self-Regulatory Principles 

The DAA’s Self-Regulatory Program for online data collection amply demonstrates 
the merits of industry self-regulation. The DAA, as noted, is comprised of the six 
leading advertising and marketing trade associations: the ANA, the 4A’s, the DMA, 
the IAB, the AAF and the NAI. Collectively, these trades represent more than 5,000 
U.S. corporations across the full spectrum of businesses that have shaped and par- 
ticipate in today’s media landscape. 

Our trade associations, along with leading companies, released the Self-Regu- 
latory Principles for Online Behavioral Advertising (“OBA Principles”) 5 in July 
2009. The OBA Principles are a set of consumer-friendly standards that apply 
across the entire online advertising ecosystem. They address all of the key elements 
called for by the Federal Trade Commission in its 2009 Staff Report on interest- 
based advertising, 6 namely: (1) consumer education, (2) enhanced notice of data 
practices, (3) innovative choice mechanisms, (4) data security, (5) sensitive data pro- 
tection, (6) consent for retroactive material policy changes, and (7) enforcement. The 
Principles are designed to apply broadly to the diverse set of actors that work inter- 
dependently to deliver relevant advertising intended to enrich the consumer online 
experience. Together, these Principles aim to increase consumers’ trust and con- 
fidence in how information is gathered from them online and how it is used to de- 
liver advertisements based on their interests. Let me briefly review how the Prin- 
ciples work from a consumer’s perspective: 


4 Speech by Danny Weitzner, We Can’t Wait: Obama Administration Calls for A Consumer Pri- 
vacy Bill of Rights for the Digital Age (February 23, 2012), available at http:/ /www.whitehouse 
gov / blog/ 2012 /02/23/ we-can-t-wait-obama-administration-calls-consutner-privacy-bill-rights-di 
gital-age (last visited March 16, 2012). 

5 DAA Self- Regulatory Principles for Online Behavioral Advertising (July 2009), available at 
http:/ / www.aboutads.info /resource / download 7 seven-principles-07-01-09.pdf. 

6 Federal Trade Commission Staff Report, Self-Regulatory Principles for Online Behavioral Ad- 
vertising (February 2009), available at http:llwww.ftc.gov/osl2000l02IP085400behavad 
report.pdf. 



8 


• First, an advertisement covered by the Principles is identified with the distinc- 
tive Advertising Option Icon (“Icon”) (Attachment 1), which appears in the ad- 
vertisement right where the consumer will notice it. Launched in 2010, this 
Icon is now a familiar sight across the Internet as a means for uniformly pro- 
viding consumers with transparency and control. 

• Clicking the Icon brings up a brief statement about online behavioral adver- 
tising, with a link to more information and opt-out choices. 

• Interested consumers can click this link to visit AboutAds.info, an industry- 
sponsored website that provides consumer education and, most importantly, 
consumer choice. Through this mechanism, a consumer can learn, in real time, 
which participating companies are currently tailoring advertising to their 
browser. 

• Consumers can elect to opt out from all participating companies through a 
prominent, single-click button or select individually the companies they want to 
tailor advertising to their browser. This approach empowers consumers, if they 
wish, to make an informed and intentional choice to stop collection of informa- 
tion that will provide them with relevant tailored advertising. 

Over the past year, the DAA has achieved several significant milestones in its im- 
plementation of the Self-Regulatory Program: 

• The Icon is being served in over one trillion ad impressions per month. 

• We estimate that the DAA program now covers over 90 percent of the online 
behavioral advertising being delivered, based on the participation of the top 15 
U.S. ad networks. 

• More than 100 companies are providing choice to consumers via the DAA’s uni- 
versal choice mechanism. 

• More than one million consumer opt outs have been registered under the DAA 
Principles since January 2011. 

• Participation in the Program has quadrupled over the last year. Hundreds of 
companies are licensed to use the Icon (including leading global advertisers like 
American Express, AT&T, Disney, General Motors and Kraft Foods). Not only 
is the DAA working directly with large publishers, it has also forged innovative 
partnerships to enable small business publishers to display the Icon on their 
websites for free. 

• The DAA’s AboutAds website ( www.aboutads.info ) provides consumers with in- 
formation about online advertising and provides an easy-to-use opt out mecha- 
nism. There have been over 8 million page views at AboutAds.info since its in- 
ception in the fall of 2010, and traffic to the website has increased in recent 
months as the Icon is more widely adopted. 

• In November 2011, the CBBB announced its first enforcement cases. In June 
2012, the CBBB announced another round of enforcement cases. 

• In December 2011, the DAA began to offer tools that enable persistent con- 
sumer opt outs in Chrome and Firefox browsers. The DAA released a persist- 
ency tool for users of Internet Explorer in March 2012. These tools respond to 
concerns that consumers could unintentionally change their opt-out preferences 
by erasing cookies from their browsers. 

• In January 2012, the DAA launched an education campaign to inform con- 
sumers about interest-based advertising and how to take greater control of their 
online privacy. This multi-phase online campaign, designed by McCann 
Erickson Worldwide, includes banner advertising that directs consumers to the 
DAA’s Icon and links to a new, informational website, www .youradchoices.com, 
which features three educational videos and a user-friendly consumer choice 
mechanism. The website has already had over 7.6 million visitors since its 
launch. With an average of more than a million visitors each month, this is a 
very promising start. To continue driving traffic to this website, the DAA has 
already secured over 3 billion donated ad impressions from companies partici- 
pating in the Program. 

B. Evolution of the Self-Regulatory Principles 

Alongside these implementation efforts, the Self-Regulatory Principles have con- 
tinued to evolve in response to emerging policy issues. In November 2011, the DAA 
extended the OBA Principles significantly with the release of the Self-Regulatory 
Principles for Multi-Site Data (“MSD Principles”). The MSD Principles establish 
comprehensive self-regulatory standards governing the collection and use of “multi- 
site data,” defined as data collected from a particular computer or device regarding 



9 


Web viewing over time and across non-affiliated websites. This principle applies con- 
trol beyond opting consumers out of receiving targeted ads, and empowers con- 
sumers to control the collection and use of Web viewing data for other purposes. 

The MSD Principles strike an appropriate balance by targeting specific concerns 
while maintaining the flow of information for legitimate uses. For instance, some 
policymakers have raised concerns that data collected for advertising purposes could 
be used as a basis for employment, credit, health care treatment, or insurance eligi- 
bility decisions. In fact, these are hypothetical concerns that do not reflect actual 
business practices. Nevertheless, industry has stepped forward to address these con- 
cerns by expanding our guidelines via the MSD Principles to clarify and ensure that 
such practices are prohibited and will never occur. This prohibition will help to en- 
sure that consumers’ browsing histories will not be used against them when apply- 
ing for a mortgage, job, or insurance, or when seeking health care. 

The DAA’s record of success demonstrates why industry self-regulation is so suc- 
cessful. The business community is in the best position to craft standards, like the 
MSD Principles, that respond to specific, articulated concerns while allowing bene- 
ficial uses of data to continue. As recognized by the Federal Trade Commission, limi- 
tations on collection, often misleadingly referred to as “Do Not Track”, should not 
be a flat restriction on all collection of all data in all contexts. 7 We agree. We de- 
signed the MSD Principles to provide consumers with control with respect to their 
Web viewing data while preserving commonly-recognized uses of data, including for 
operational purposes such as fraud prevention, intellectual property protection, com- 
pliance with law, authentication and verification purposes, billing, and product or 
service fulfillment. The MSD Principles also permit the use of data that has gone 
or will within a reasonable period of time from collection go through a de-identifica- 
tion process, or that is used for market research or product development. This ap- 
proach helps ensure the continued flow of data that is vital to the workings of the 
Internet and to the consumer online experience. 

Data collected pursuant to the exceptions listed above provides a grand array of 
consumer benefits. Data supports robust consumer safety mechanisms, ranging from 
fraud detection in financial services to prevention of online threats. In addition, the 
use of data leads to continued innovation, which has the potential to offer con- 
sumers untold benefits. For example, data can be leveraged to provide web-enabled 
smart grid services that enable consumers to obtain actionable information that 
saves them money and lowers energy consumption. The MSD Principles also allow 
companies to use data for market research and product development, so that we can 
keep building tomorrow’s Internet. Market research and product development ac- 
tively rely on consumer data, not to market directly back to consumers, but to gain 
broad insight about consumers’ collective preferences and needs so that businesses 
can better serve their customers. 

We expect that the DAA Self-Regulatory Program will continue to adapt over time 
to respond to changes in technology and consumer concerns. Currently, the DAA has 
convened a subcommittee of its Principles and Communications Advisory Committee 
that is working to extend the Principles to the mobile ecosystem. This effort has al- 
ready made significant progress with the active participation of stakeholders rep- 
resenting all major elements of the mobile ecosystem. 

C. Commitment to Accountability 

For the past 40 years, the advertising industry has distinguished itself through 
its self-regulatory system for independent oversight of compliance and public report- 
ing of enforcement actions. In keeping with this tradition, a key feature of the DAA 
Self-Regulatory Program is accountability. All of our Self-Regulatory Principles are 
backed by the robust enforcement programs administered by the Council of Better 
Business Bureaus (“CBBB”) and the DMA. 

The CBBB accountability program builds on the successful track records of the 
National Advertising Division, operating since 1971; the Children’s Advertising Re- 
view Unit, operating since 1974; and the Electronic Retailing Self-Regulation Pro- 
gram, operating since 2004. These programs feature public reporting of decisions 
and referral to government agencies, often to the Federal Trade Commission, of any 
uncorrected non-compliance. They have extremely high voluntary compliance rates. 
In fact, over 90 percent of companies voluntarily adopt the recommendations of 
these programs. Those that do not or choose not to participate are referred to the 
appropriate government agency for further review. 

The CBBB administers its Interest-Based Advertising Accountability Program 
under the Advertising Self-Regulatory Council’s (“ASRC”) self-regulatory procedures. 
Like other ASRC programs, the CBBB Accountability Program generates cases 


7 FTC Report at 53, available at http:! / www.ftc.gov / os 12012 1031 120326privacyreport.pdf. 



10 


through monitoring, consumer complaints and review of news stories and technical 
reports from academics and advocacy groups. The CBBB Accountability Program re- 
ceives weekly reports on technical monitoring of various compliance requirements 
of the Principles. The CBBB Accountability Program’s technical staff analyzes this 
data, independently performs further research and, where there is a potential com- 
pliance issue, initiates formal inquiries. 

The CBBB’s Accountability Program has brought over a dozen cases since Novem- 
ber 2011, and has the enviable track record of 100 percent industry compliance. The 
CBBB Accountability Program has focused its inquiries on the key concepts of trans- 
parency and choice under the DAA’s Self-Regulatory Principles. In its initial round 
of cases, the Accountability Program investigated whether companies were correctly 
and reliably providing consumers with an effective choice mechanism. Cases in- 
volved defective links to opt-out mechanisms and opt outs that failed to meet the 
OBA Principles’ five-year minimum opt-out period. 

The CBBB Accountability Program’s recent decisions provided companies with 
guidance on a range of important compliance issues involving the DAA’s Trans- 
parency and Consumer Control Principles. For example, in a case in which a newly- 
established company was unaware of the Principles and therefore out of compliance, 
the CBBB Accountability Program made clear that the Principles cover the entire 
advertising ecosystem and that all companies are expected to comply with these re- 
quirements. 

The DMA’s enforcement program likewise builds on a long history of proactive 
and robust self-regulatory oversight. The DMA’s longstanding Guidelines for Ethical 
Business Practice (“Guidelines”) set out comprehensive standards for marketing 
practices, which all DMA members must follow as a condition of membership. The 
DAA Self-Regulatory Principles are incorporated into these Guidelines. 

The DMA’s Committee on Ethical Business Practice examines practices that may 
violate DMA Guidelines. To date, the DMA Guidelines have been applied to hun- 
dreds of marketing cases on a variety of issues such as deception, unfair business 
practices, personal information protection, and online behavioral advertising. In 
order to educate marketing professionals on acceptable marketing practices, a case 
report is regularly issued which summarizes questioned direct marketing pro- 
motions and how cases were administered. The report also is used to educate regu- 
lators and others interested in consumer protection issues about DMA Guidelines 
and how they are implemented. 

The Committee works with both member and non-member companies to gain vol- 
untary cooperation in adhering to the guidelines and to increase good business prac- 
tices for direct marketers. The DMA Corporate Responsibility team and Ethics Op- 
erating Committee receive matters for review in a number of ways: from consumers, 
member companies, non-members, or, sometimes, consumer protection agencies. 
Complaints are reviewed against the Guidelines and Committee members determine 
how to proceed. If a potential violation is found to exist, the company will be con- 
tacted and advised on how it can come into full compliance. 

Most companies work with the Committees to cease or change the questioned 
practice. However, if a member company does not cooperate and the Committee be- 
lieves there are ongoing guidelines violations, the Committee can recommend that 
action be taken by the Board of Directors and can make case results public. Board 
action could include censure, suspension or expulsion from membership, and the 
Board may also make its actions public. If a non-member or a member company 
does not cooperate with the Committees and the Committees believe violations of 
law may also have occurred, the case is referred to Federal and/or state law enforce- 
ment authorities for their review. 

The CBBB and DMA programs illustrate how effectively self-regulation is working 
and its many benefits, including its ability to evolve to meet new challenges. 

D. Benefits of Industry Self-Regulation 

The DAA’s commitment to self-regulation has put us at the forefront of new con- 
sumer protection initiatives. The DAA believes that self-regulation is the appro- 
priate approach for addressing the interplay of online privacy and online advertising 
practices. We appreciate the positive recognition of the White House and the Fed- 
eral Trade Commission for our efforts. We believe that our approach has been suc- 
cessful in addressing consumer concerns while ensuring that the U.S. Internet econ- 
omy remains vibrant. Self-regulation provides industry with a nimble way of re- 
sponding to new challenges presented by the evolving Internet ecosystem. For our 
information-driven economy to thrive and continue as an engine of job creation, self- 
regulation led by industry codes of conduct is the ideal way to balance privacy and 
innovation. 



11 


Based on the DAA’s commitment to advancing industry self-regulation, we are 
concerned about some of the proposals put forward by the Administration and the 
Federal Trade Commission in their respective consumer data privacy frameworks . 8 
In particular, both the Administration and the Federal Trade Commission have 
called for comprehensive legislation in the area of consumer data privacy. The DAA 
does not believe that such new legislation is needed at this time. There has been 
no demonstration that legislation is necessary, nor has there been any evaluation 
of the likely impact that legislation would have on this leading area of American 
job creation. The DAA is concerned that laws and regulations are inflexible and can 
quickly become outdated in the face of extraordinarily rapidly-evolving technologies. 
When this occurs, legislation thwarts innovation and hinders economic growth. 

Formal rules can also serve as a disincentive to the marketplace to innovate in 
the area of privacy. Companies are increasingly offering consumers new privacy fea- 
tures and tools such as sophisticated preference managers, persistent opt outs, uni- 
versal choice mechanisms, and shortened data retention policies. These develop- 
ments demonstrate that companies are responsive to consumers and that companies 
are focusing on privacy as a means to distinguish themselves in the marketplace. 
The DAA believes that this impressive competition and innovation should be encour- 
aged. New laws or rules could impede future developments or discourage companies 
from continuing to compete over privacy features. We believe that the DAA pro- 
gram, which industry has already invested millions of dollars to develop, is clearly 
one of the most successful and fastest-developing self-regulatory systems in U.S. his- 
tory and should be allowed to continue to flourish without unneeded governmental 
intervention or legislation at this time. 

Thank you again for inviting me to testify before the Committee. I look forward 
to answering any questions the Committee may have. 

Attachment 1: Advertising Option Icon 






TM 


8 The White House, Consumer Data Privacy in a Networked World: A Framework for Pro- 
tecting Privacy and Promoting Innovation in the Global Digital Economy (February 2012); Fed- 
eral Trade Commission, Protecting Consumer Privacy in an Era of Rapid Change: Recommenda- 
tions for Businesses and Policymakers (March 2012). 



12 


Senator Klobuchar. Mr. Fowler? 

STATEMENT OF ALEX FOWLER, CHIEF PRIVACY OFFICER, 

MOZILLA 

Mr. Fowler. Thank you, Chairman Rockefeller and distin- 
guished members of the Committee, for the opportunity to testify 
today. 

I am Alex Fowler. I oversee privacy for Mozilla and lead our 
work on Internet-related policy issues. 

Mozilla is an independent global community of people who have 
been working together since 1998 to build a better Internet. We’re 
dedicated to promoting openness, innovation, and opportunity on- 
line. 

Mozilla does not own or operate a search or advertising business. 
Our most popular product is the Firefox Web browser used by more 
than 500 million people. 

As a core principle, we believe the Internet is a public resource 
that must be improved and protected. We also believe enabling and 
maintaining an economic ecosystem is an important component of 
a robust and healthy Internet. 

However, we do not believe that the commercial imperative and 
choice and control are mutually exclusive. They can and must coex- 
ist through a combination of technical capabilities and user-centric 
business and data practices. 

The public is increasingly uneasy about the extent to which their 
online lives are invisibly profiled, analyzed, packaged, sold, and re- 
used to target advertising content and services. This is leading a 
growing number of users to want to understand and take measures 
to control the collection and use of data about them. 

We have an opportunity to work together to develop innovative 
mechanisms that address real business challenges and empower 
people to engage in an ecosystem that’s both sustainable and fair. 

Mr. Chairman, the remainder of my statement briefly touches on 
industry self-regulation, our “do not track” feature in Firefox, and 
the ability for industry to provide meaningful privacy choices. 

Regarding self-regulation, it’s unclear whether industry self-regu- 
lation by itself is a viable way to allow users to understand and 
control data collected and used about them. 

Consider the following three examples. 

First, industry self-regulation focused on notice and choice as a 
way to inform people to make decisions about which sites and serv- 
ices meet their privacy values. Unfortunately, as I outline in my 
written statement, privacy policies have not worked to inform or 
empower users. 

Seals and trust marks are a second example of a self-regulatory 
effort to improve transparency online. Research has shown that 
users don’t know what trust marks mean, and they don’t help them 
distinguish between data practices of different businesses. 

Last, we commend the DAA for its considerable work bringing to- 
gether the online advertising industry into its self-regulatory initia- 
tive. While its Ad Choices icon program is an important effort, re- 
search has shown it still remains unclear to users. Many believe 
that clicking on the icon will trigger pop-up ads or invite more ad- 



13 


vertising. And many more think it’s related to purchasing adver- 
tising space. 

The ad industry’s own research shows the number of users who 
use the icon is below four-hundredths of a percent. 

If the consumer wants to opt out, she must first see the icon, un- 
derstand it, and then click on it, and then go to a site that offers 
the chance to find and set opt-out cookies. 

Opt-out cookies are not persistent and can easily be deleted by 
accident or by following recommended security practices. And dif- 
ferent companies interpret their opt-outs differently, rendering 
them ambiguous in the end. 

My point here is that without input and commitments from 
stakeholders outside of any one industry group, self-regulatory ef- 
forts that brought us policy, seals, and icons have not established 
public trust and engagement and still invite regulation and all the 
risks of unintended consequences that go with it. 

Not all hope is lost from our perspective. We’re seeing an impor- 
tant shift in self-regulatory efforts away from closed-door, industry- 
led efforts to open multi-stakeholder approaches. By broadening 
self-regulation into forums that involve all relevant parties, we can 
hopefully address past misses and avoid the need for regulation. 

We need to give this approach time to mature. But in the event 
that multi-stakeholder processes are unsuccessful, then it may be 
necessary to explore regulatory measures. 

Turning my attention to the current state of the “do not track” 
feature in Firefox, Mozilla was the first browser to implement “do 
not track” in March of last year. “Do not track” is a signal sent and 
transmitted by the user via the browser to websites. Nine percent 
of our users have turned on “do not track” in Firefox and 18 per- 
cent have it on in our mobile browser. Numerous companies al- 
ready honor “do not track,” including Twitter, the Associated Press, 
Jumptap, and more are on the way. 

“Do not track” does not enforce, break, control, disable, or impair 
any online tracking or personalization technology. To make it effec- 
tive, recipients must breathe life into the signal by honoring the 
user’s intent. 

The crucial questions, therefore, become what does the user in- 
tend by the “do not track” signal? What should a site do when it 
receives a signal? These questions are the subject of a consensus- 
driven, multi-stakeholder effort currently underway at the World 
Wide Web Consortium. 

The W3C’s tracking protection group includes, among others, 
over 35 leading advertisers, publishers, and technology companies. 
While the group has agreement on most of the technical require- 
ments, there are still two competing views on what “do not track” 
should mean. 

One is that “do not track” means literally what it says — no third- 
party tracking of users, whether it’s for targeted ads or other pur- 
poses. The other is that “do not track” means no targeting, but al- 
lows some tracking and collection. Currently, the working group is 
pursuing a middle ground, so stay tuned. 

Last — I only have a little time left — I wanted to share a quick 
point about the value of privacy tools. As long as there are incen- 
tives for companies to collect lots of user information, scale-up, and 



14 


then bolt on privacy protections after the fact, we are unlikely to 
see users satisfied with the promise of privacy tools. 

Instead, privacy by design is a crucial concept for the Committee 
to champion. Privacy by design is an approach that addresses user 
data and privacy implications from the outset. And I’d be pleased 
to come back another time to share more about this approach and 
how it works in the context of the technical marketplace. 

In conclusion, Mozilla strives to ensure privacy and security in- 
novations support consumers in their everyday activities online. 
But the key for us, and the key for users on the Internet, is that 
it’s informed and reasonable choice enabled through transparency. 

Thank you, again, for the opportunity to participate today. 

[The prepared statement of Mr. Fowler follows:] 

Prepared Statement of Alex Fowler, Chief Privacy Officer, Mozilla 

Chairman Rockefeller, Ranking Member Hutchison, and Members of the Com- 
mittee, thank you for the opportunity to testify today on the need for privacy protec- 
tions, the status of self — regulation, and Do Not Track. 

I am Alex Fowler; I oversee privacy for Mozilla and lead our work on Internet — 
related policy issues. I’ve spent the last twenty years working on privacy as a tech- 
nology policy analyst here in Washington, a consumer advocate, in a start — up de- 
veloping privacy software tools and as a Big 4 consultant advising leading banks, 
healthcare and technology companies. 

Mozilla is a global community of people who have been working together since 
1998 to build a better Internet. 1 As an independent organization, we are dedicated 
to promoting openness, innovation, and opportunity online. 2 Mozilla does not own 
or operate a search or advertising business. Our mission is to pursue the interests 
of users, developers and the Web as a whole. Mozilla and its contributors advance 
our goals by making free, open source technologies for consumers and developers 
that reflect these values. Our most popular product is the Firefox Web browser used 
by more than 500 million people worldwide. As a core principle, we believe that the 
Internet, as the most significant social and technological development of our time, 
is a precious public resource that must be improved and protected. 

We also believe that commerce is a vital and beneficial Internet activity. Enabling 
and maintaining economic ecosystems online is an important component of a robust 
and healthy Internet. However, we do not believe that the commercial imperative 
and user choice/control are mutually exclusive. They can and must coexist through 
a combination of technical capabilities and user-centric business and data practices. 

As a privacy professional, I see the Web ecosystem as increasingly relying on a 
guesswork economy. Many of our best and brightest engineering minds are hard at 
work on new technologies to predict and deliver what the user wants at just the 
right moment. They use content delivery networks, profiling, tracking, social graphs, 
and data analytics to grasp at tiny clues about us and piece them together to guess 
who we are, where we live, and what we like or want. Just recently it was reported 
that Orbitz presents higher priced hotels based in part on the operating system of 
the user. Apparently Mac users spend more on hotels, so Orbitz lists higher-priced 
rooms for them. 3 These results represent impressive feats of business and techno- 
logical prowess, and the industry reports record growth, 4 yet they have not led to 
a Web ecosystem where the user is an active and informed participant. 

The public is increasingly uneasy about the extent to which their online lives are 
invisibly profiled, analyzed, packaged, sold, and reused to personalize advertising, 


1 See http: I / www.mozilla.org for more information about Mozilla, its mission and many initia- 
tives. 

2 The Mozilla Manifesto is available at http: I / www.mozilla.org / about / manifesto. en.html. 

3 Mattioli, Dana. On Orbitz, Mac Users Steered to Pricier Hotels. The Wall Street Journal 
(June 26, 2012). < http://online.wsj.com/article/SB10001424052702304458604577488822667 
325882. html>. 

4 Ha, Lyons. Internet Ad Revenue Reaches $31B In 2011, Mobile Up 149 Percent (LAB Report). 
TechCruneli (April 18, 2012). <http:l I techcrunch.com/ 2012 / 04 / 18 / iab-revenue-report-2011 />. 



15 


content and services. 5 6 This unease leads many users to want to understand and 
control the collection and use of data about them. We see new online privacy pro- 
tecting services launching every month and privacy browser add-ons are growing in 
popularity. Many of the most popular approaches disrupt and are in direct conflict 
with common business models. Some of the tools block interactions between users 
and sites, third party advertising or data brokers. 7 8 This pattern has been likened 
to an “arms race,” with industry and Web users locked in opposition to one another. 

We have an opportunity to break this cycle by working together with industry to 
develop innovative mechanisms that address real business and technical challenges 
and empower people to engage in an online ecosystem that’s both sustainable and 
fair. 

Mr. Chairman, the remainder of my statement focuses on the three areas you re- 
quested in your invitation on the current state of: industry self-regulation; our Do 
Not Track feature in Firefox; and the ability for industry to provide meaningful pri- 
vacy tools. 

The Current State of Industry Self-Regulation 

It is unclear whether industry self-regulation, by itself, is a viable way to allow 
users to manage and control data collected and used about them by third parties. 
Any process that does not represent the users’ interest is unlikely to be successful. 
Outside of the processes undertaken many years ago to develop fair information 
practices in the 1980s 9 and Website privacy policies in the 1990s, 10 we have tried 
to address current privacy issues either through narrowly construed, industry-led ef- 
forts or a patchwork of state, Federal and international privacy laws. 

In particular, industry promoted the notice and choice model as a way to harness 
the power of the free market to provide the transparency needed for people to make 
individual decisions about which sites and services meet their privacy needs. This 
is an important goal: it is clear that different people have very different privacy 
preferences, so ideally they would have the tools they need to make informed choices 
for themselves and their families. Unfortunately, the notice and choice approach has 
some flaws, which have led to failure in the market. Under our current model, 
choice was supposed to be enabled by consumers using the sites, services and appli- 
cations with the privacy notices that best reflect their values. Yet privacy notices 
are a mix of legal and technical jargon, impenetrable to all but the most sophisti- 
cated. Privacy policies are not going away, however. They are required under Cali- 
fornia law. We continue to see new best practices emerge, and the process of devel- 
oping privacy notices for mobile may lead to some new innovations. But the original 
idea that people would read multiple privacy policies to decide which sites to visit 
or buy from has not happened. Today, the privacy practices are indistinguishable 
across sites. Privacy policies have not worked to inform or empower users. 

Seals and trust marks are another form of notice that have only partially im- 
proved privacy online. The Better Business Bureau (BBB) offers a seal program. 11 
TRUSTe, which does so, too, has weathered some rough years, with findings that 
the business practices of TRUSTe customers are less privacy protective than aver- 
age. 12 BBB’s and TRUSTe’s work has been valuable in helping companies clarify 
their privacy practices. However, seals are an approach by business for business 
that has not measured up to the high hopes of empowering users’ online privacy 
choices. 


5 TRUSTe. 2008 study: Consumer attitudes about behavioral targeting. (March 2008). <http:l / 
danskprivacynet. files / wordpress.com / 2009 / 02 / truste2008 tns bt study summary 1. pdf >. 

6 Turow, J. el al., Americans Reject Tailored Advertising and Three Activities That Enable It 
(September 29, 2009). <http: // ssrn.com / abstract=1478214>. 

7 Lyons, Sean. Privacy Concerns Spark Innovations Among Companies, Startups. International 

Association of Privacy Professionals (May 11, 2012). <https: / / www. privacyassociation.org / publi- 
cations / 2012 05 10 privacy concerns spark innovations among companies startups>. 

8 Several of the most popular add-ons for Firefox are aimed at blocking advertising and track- 
ing, including Adblock Plus, Ghostery and NoScript. Adblock Plus alone has been downloaded 
160 million times, and has almost 14 million daily users. 

9 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. 
Organisation for Economic Co-operation and Development (OECD) <http: / / www.oecd.org / docu- 
ment / 18 / 0,3746, en_2649_34223_1815186_l_l_l_l,00.html>. 

10 Privacy Online: A Report to Congress. Federal Trade Commission (June 1998). <http:f / 
www.ftc.gov / reports / privacy 3 / toc.shtm>. 

11 BBB Accredited Business Seal for the Web <http:l lwww.bbb.org/uslbbb-online-businessl 

>. 

12 Vila, T., Greenstadt, R., and Molnar, D. Why we can’t be bothered to read privacy policies 
models of privacy economics as a lemons market. In ICEC 2003 Proceedings of the 5th Inter- 
national Conference on Electronic Commerce (2003) Pages 403-407. 



16 


One of the more recent and visible industry self-regulation efforts has focused on 
online behavioral advertising. 13 We join many others in commending the Digital Ad- 
vertising Alliance (DAA) for its work to bring together the online advertising indus- 
try, and the growth of its ad-based icon. While the icon program is a good step, it 
suffers from material implementation hurdles 14 and technological limitations that 
cause it to fall short. 15 Despite the advertising industry’s extensive expertise on suc- 
cinctly communicating complex messages, the advertising option icon is incredibly 
unclear to users. 16 Many believe that clicking on it will trigger pop-up ads or invite 
more advertising, and many more expect that it is related to purchasing advertising 
space. 17 According to the industry’s own research, the number of users who use the 
icon is low: 0.0035 percent click, and only 1 in 20 of those actually opt out. 18 

Since the icon is just a gateway to the industry’s current cookie-based opt-outs, 
it suffers from drawbacks and fragility. One significant challenge is that the mecha- 
nism is not persistent because it is cookie-based. Users who routinely clear their 
cookies for security or to limit tracking also inadvertently remove their opt-out cook- 
ies under the current industry self-regulatory program. The Ad Choice interface also 
does not work on all platforms, leaving Mac users without a way to opt-out. Opt- 
outs are also ambiguous: different companies interpret their opt-out cookies dif- 
ferently. Some stop collecting info about users, while others continue collecting info, 
but stop customizing content and advertising, making their data collection practices 
invisible to users. Finally, opt-out cookies are not a scalable option for users. Even 
if a user requests opt-out cookies for all advertisers today, that choice is not ex- 
tended for new advertising companies tomorrow. With this mechanism, users have 
to keep a vigilant eye out for new companies. 

My primary point here is that without input and commitments from stakeholders 
outside of the ad industry, industry efforts like seals and the one led by DAA will 
remain insufficient. They do not establish the public trust and engagement needed 
for success. Such options invite stronger measures like regulation and all the risks 
of unintended consequences that go with it. 

We are seeing an important shift in self-regulation away from closed-door, indus- 
try-led efforts to multi-stakeholder approaches where industry, users, academics, 
service providers, browser providers and consumer advocates come together to de- 
velop holistic frameworks and standards for the protection of privacy. 19 This is dif- 
ferent from what has happened in the past where a single industry adopted its own 
unilateral scheme. It is precisely this broadening of self-regulation to deliberately 
involve all relevant stakeholders, combined with FTC and Administration support, 
that will increase chances of success and potentially avoid the need for regulation. 

Many of these new discussions are occurring in the World Wide Web Consortium 
(W3C) Tracking Protection Working Group. 20 Despite dialogue that could sometimes 
be characterized as atypically aggressive (for standards working groups) and even 
personal at times, the process has been open, transparent, and inclusive. The group 
consists of over 35 leading companies, 21 including advertisers, publishers, and Inter- 
net companies, together with consumer advocates, industry trade associations, aca- 
demics from the U.S. and Europe, and independent experts. The discussions have 
been productive so far. The group is committed to following a consensus-based ap- 
proach to achieve a protocol that everyone can live with. 


13 Kaye, Kate. Icon War? Two Behavioral Ad Notice Icons Could Confuse. ClickZ (January, 
2010). <http:l / www.clickz.com / 36363 15> 

14 For example, “These results suggest that the icons and tagline are failing to effectively com- 
municate their purpose to users” in Cranor, Lorrie F. Can Users Control Online Behavioral Ad- 
vertising Effectively? Security and Privacy Economics (March? April 2012). 

15 Five technical hurdles described in Mayer, Jonathan R. and Mitchell, John C. Third-Party 
Web Tracking: Policy and Technology. In IEEE Symposium on Security and Privacy (2012), page 
422. 

16 Leon, P. et al.. What Do Online Behavioral Advertising Disclosures Communicate to Users? 
(April 13, 2012). <http://www.cylab.cmu.edu/files/pdfs/tech_reports/CMUCyLabl2008.pdf> 

17 Ibid. 

18 Consumer Interactions with Ad Notice. Evidon (2011). <http://cdn.betteradvertising.com/ 
misc/consumer%20impact%20of%20ad%20notice%201 1 1 l.pdf> 

19 See the NTIA’s Multistakeholder Process to Develop Consumer Data Privacy Codes of Con- 
duct <http:/ / www.ntia.doc.gov / federal-register -notice / 2012 / multistakeholder -process-develop- 
consumer-dataprivacy-codes-conduct>, as well as Mozilla’s comments to the National Technology 

and Information Administration, <http://www.ntia.doc.gov/files/ntia/mozilla comments 

040212 final.pdf>. 

"See the Tracking Protection Working Group page <http://www.w3.org/2011/tracking-pro- 
tectionl>. 

21 See the Tracking Protection Working Group participants list <http://www.w3.org/2000/ 
09 / dbwg / details ?group=4931 1 &public=l>. 



17 


As a member of the W3C group, we remain optimistic that the process will 
produce a meaningful standard that ultimately provides people with more choice 
and control related to targeted ads and user tracking by 3rd parties. Together with 
the Administration’s multi-stakeholder process to develop a code of conduct that pro- 
motes transparent disclosures to consumers concerning mobile apps’ treatment of 
personal data, 22 we are hopeful that a more representative cadre of concerns will 
produce effective self-regulatory practices without the need for legislation. However 
in the event that an open, multi-stakeholder process is not successful it may be nec- 
essary to explore regulatory measures. 

The Current State of the Do Not Track Feature in Firefox 

Mozilla was the first browser to implement Do Not Track in March 2011 inspired 
by innovations from privacy and security researchers Christopher Soghoian and Dan 
Kaminsky. 23 When we first announced it, the ad industry was critical and Microsoft 
publicly ridiculed the feature, 24 but the FTC strongly supported it and our users 
wanted it. Today 9 percent of our users have turned on DNT in the desktop version 
of Firefox and 18 percent have turned on DNT in the mobile version. Microsoft has 
announced it will ship IE with DNT turned on by default in Internet Explorer 10, 
and soon it will be possible for users to turn on DNT in all major browsers. Numer- 
ous companies already honor the DNT signal, including social networks like Twitter, 
publishers like the Associated Press, and mobile advertisers like Jumptap, AdTruth, 
and more are on the way. We are building DNT into Thunderbird, our e-mail client, 
and our mobile operating system, code named Boot2Gecko, where the user’s DNT 
signal will be available to every app on the device. In addition to our engineering 
contributions, a Mozilla engineer submitted the first standards proposal for Do Not 
Track, and a member of our community is co-chair of the W3C standards effort. 

Do Not Track is a simple, digital signal sent by the user via the browser to 
websites. As a signal, Do Not Track does not enforce, break, control, disable or im- 
pair any online tracking or personalization technology. It is a signal that is sent 
along with Internet traffic, indicating that the user sitting behind the keyboard 
would like their privacy to be respected more strongly than might otherwise be the 
case. To make it effective, the recipients — websites and ad networks — must breathe 
life into the signal by honoring the user’s intent. The crucial questions therefore be- 
come: 

• What does the user intend by the DNT signal? 

• What should a site do when it receives this signal? 

These questions are the subject of a consensus driven multi-stakeholder effort cur- 
rently underway at the W3C, as I mentioned a moment ago. The Do Not Track 
working group is chartered 25 to develop a robust self-regulatory framework for user 
choice and control on the Web. While the group has agreement on most of the tech- 
nical requirements of the protocol, there are still two competing views on what DNT 
should mean. One is that DNT means what it says, no 3rd party tracking of users 
whether its targeted ads or for other purposes. The other position is that DNT 
means no targeting, but tracking and collection are still acceptable. Currently, the 
working group is perusing a middle ground. The participants are collaborating in 
an open process to determine both the technical and compliance requirements for 
a Do Not Track system. 

No single party can address privacy related to personalization and tracking on 
their own. The ecosystem is so diverse and specialized that there is no one entity 
who knows exactly which data is going where. Publishers can’t predict which ads 
will show up on their sites after an auction. Advertisers can’t predict which sites 
their ads will land upon. There is no single place for users to go to find out: “Where 
did my data end up?” 


22 United States Department of Commerce. First Privacy Multistakeholder Meeting: July 12, 
2012. National Telecommunications & Information Administration (June 15, 2012). <http:l / 
www.ntia.doc.gov / headlines / 2012 / first-privacy-multistakeholder-meeting-july-12-2012> 

23 Soghoian, C. The History of the Do Not Track Header (January 21, 2011). <http : / / para- 
noia.duhfire.net / 2011 1011 history-of-do-not-track-header.html> 

24 Mullin, J. Microsoft: It’s Naive To Trust Tracking Sites To Obey Anti-Tracking Orders. 
paidContent (February 10, 2011). <http:/ lpaidcontent.org 12011 /02 / 10 /419-microsoft-its-naive- 
to-trust-tracking-sites-to-obeyanti-tracking-signa / > 

25 See the Tracking Protection Working Group charter <http:/ Iwww.w3.org 12011! tracking 
protection / charter>. 



18 


There is likewise no party that can build a complete solution on their own. Brows- 
ers have many options to provide strong choices and controls to their users . 26 How- 
ever, browsers’ technical measures risk being overly blunt, and disabling some fea- 
tures as well as protecting against privacy threats. As noted earlier, the cookie- 
based opt-outs provided by advertisers and analytics engines are ambiguous, do not 
scale, are not persistent, and do not truly address many users’ privacy concerns. Ad- 
vertising self-regulatory groups do not include social networks like Facebook or 
Twitter. Users are concerned about being followed across the Web whether or not 
there is advertising involved. In contrast, DNT sends a signal with every request — 
whether to a publisher, advertiser, or social network — with no need to worry about 
new businesses or new business models. DNT is a protocol that can address users’ 
concerns and augment existing systems and initiatives. 

Research shows that some users want personalization, many favor privacy, but 
the majority will make up their minds based on whether they see value to them 
or not . 27 Tracking, in and of itself, is not necessarily a problem when users can par- 
ticipate in the decision and understand how they benefit. Issues arise when users 
are unable to control their browsing experience, or worse, loose confidence that they 
are an active participant in how information about them is collected, used and 
shared among sites and apps. 

DNT is narrowly-tailored to give users choice and control in a persistent, acces- 
sible way without preventing the customization and valuable advertising that pow- 
ers our rapidly-growing Web economy. Innovative and transparent ways for users 
to obtain personalized content in a manner that respects user choice are both desir- 
able and good for the Web. The DNT standard also envisions ways for users to re- 
quest personalization and offers new opportunities for compelling user engagement 
and trusted relationships. In addition, unlike the Do Not Call list and the Ad 
Choices program, DNT is free to advertisers. There are no annual subscriptions to 
lists or fees to use icons. There is no cost to the taxpayer. 

It will take more time for stakeholders to agree and best practices to emerge, as 
Do Not Track is a unique multi-party, client-server approach to addressing privacy. 
We will also need a period to educate users and listen to their feedback so that we 
can match the DNT system with their expectations and produce a compelling experi- 
ence. 

A DNT signal is not the beginning or the end of the privacy conversation, nor the 
only way user data is protected. Websites, service providers, ad networks play an 
essential role, and have much to offer by their own data practices and policies. 

III. Industry’s Ability to Provide Users With Tools to Adequately Protect 
Their Personal Information Online 

Privacy by Design is a crucial concept for the Committee to champion. As long 
as the Web economy provides incentives for companies to start collecting lots of user 
information, scale up, and then bolt on privacy protections after the fact, we are un- 
likely to see users satisfied with the promise of the available privacy tools and serv- 
ices. Privacy by design is an approach that addresses user data and privacy implica- 
tions of new products and services from the outset. There are many successful ex- 
amples of traditional and nontraditional companies that have built fully scalable 
and commercially viable products and services on the Web based on this approach. 
For example, one Web search engine never collects any logs 28 that can be associated 
with a particular person while still capturing all the information they need to build 
a powerful and viable service. And the GMAT switched to a less-intrusive method 
of verifying test-takers’ identities as it balanced important business needs with stu- 
dent privacy concerns . 29 

For years, the Internet worked on the model that anyone on the same mainframe 
was a co-worker, not a threat, and networking meant sending text files over 
modems. Worms, malware, and phishing attacks highlighted how much had 
changed in a short time. Since then, security has become a priority for companies. 
Microsoft famously retooled their operating system and software development proc- 
ess to address security problems. Now we are finding a similar crisis with the pri- 
vacy dimensions of user choice and control. It is not just users who lack a complete 


26 Lowenthal, T. Browser Vendors: fight for your users (April 29, 2011). <http://www.w3.org/ 
201 1 / trackprivacy / papers / lowenthal position-paper. pdf>. 

27 McDonald, Aleecia M. and Cranor, Lorrie F. Beliefs and Behaviors: Internet Users’ Under- 
standing of Behavioral Advertising. In 38th Research Conference on Communication, Informa- 
tion and Internet Policy (Telecommunications Policy Research Conference) (October 2, 2010). 

28 DuckDuckGo Privacy, <https:/ / duckduckgo.com / privacy. html>. 

29 Hill, Kashmir. Why’Privacy By Design’ Is The New Corporate Hotness. Forbes (July 28, 
2011). <http:/ j www.forbes.com/sites/kashmirhill/ 2011 / 07 / 28 / why-privacy-by-design-is-the- 
new -corporatehotness / > 



19 


privacy picture. Companies are starting to realize they do not know what cookies 
they set, how they use data, and where it flows internally or externally. As an in- 
dustry, we are going to need efforts to figure that out, plus ensure we design with 
privacy in mind. 

We often talk about “personal information,” but we are beginning to understand 
that even data that does not include someone’s name, e-mail address, or social secu- 
rity number can have real privacy impacts. For example, Netflix viewing history — 
which on its face appears not to be personally identifiable at all — has been used to 
identify specific people’s sexual orientation and medical conditions . 30 The truth is 
that it’s incredibly hard to predict how several pieces of apparently unrelated infor- 
mation can be combined to produce uncomfortably personal insights. We already 
have the technology to implement much of the Web ecosystem while leaving users 
in control of even this sort of information. 

In conclusion, data sharing, control, security, and management are critical consid- 
eration for Mozilla. It is embraced in the products and services we create, and de- 
rives from a core belief that people should have the ability to maintain control over 
their entire Web experience, including how their information is collected, used and 
shared with other parties. We strive to ensure privacy and security innovations sup- 
port consumers in their everyday activities whether they are sharing information, 
conducting commercial transactions, engaging in social activities, or browsing the 
Web, but the key is informed and reasonable choice enabled by transparency. 
Mozilla is pleased to be part of a vibrant user data landscape that is rapidly evolv- 
ing to a future that will give people more choice and more control to participate fully 
in their online experience. 

Thank you, again, Senator Rockefeller and members of the Committee for the op- 
portunity to join you today. 

Senator Klobuchar. Thank you very much, Mr. Fowler. 

Mr. Swire? 

STATEMENT OF PETER SWIRE, C. WILLIAM O’NEILL 
PROFESSOR OF LAW, THE OHIO STATE UNIVERSITY 

Mr. Swire. Thank you, Madam Chair, Senator Rockefeller, and 
other distinguished members of the Committee. It’s a pleasure to 
testify here today on “The Need for Privacy Protections: Is Industry 
Self-Regulation Adequate?” 

I come here as a law professor and also as a former government 
official. I started working on privacy and self-regulation in the mid- 
1990s, and was Chief Counselor for Privacy under President Clin- 
ton. I was the White House lead for the HIPAA and Gramm-Leach- 
Bliley medical rules, and have worked on numerous self-regulatory 
rules, in the room negotiating these. 

So it’s with that background that the Committee asked me to 
talk about this history of what we’ve seen here, and, specifically, 
to look at the DAA’s exceptions in some of their things that we’ll 
get to. And that’s what I’ll focus my remarks on. 

My testimony has four sections. The first is when does privacy 
and self-regulation work? And the big theme here is, when you look 
at it, is that industry works a lot harder at this when government 
is paying attention. When industry thinks the government is not 
focused on it, the temptation is to say, “You know, we could do this, 
but we don’t have to. And it’s hard, and it’s a lot of work, and it 
might cost us money. We’re really not sure we want to do that.” 

But when you’re paying attention, when the White House is pay- 
ing attention, the FTC is paying attention, the conversation is en- 
tirely different. The conversation then is, “You know, if we don’t do 


30 Narayanan, A. and V. Shmatikov. Robust De-anonymization of Large Sparse Datasets 
(2008). <http:/ / www.cs.utexas.edu / &#x0303;shmat / shmat oak08netflix.pdf> 



20 


it, they’re going to do it for us. So we have to come up with some- 
thing good.” 

And I think we saw that in the 1990s when industry stepped for- 
ward in a lot of ways. We’re seeing industry digging in and doing 
a lot of things right now. 

But in between, there was a period when the attention wasn’t 
here. And so the second point is, what have we seen from the his- 
tory? 

The history is, in the late 1990s, as the first Internet was 
ramping up, a lot of people were paying attention to privacy. It was 
the dot-com boom. Privacy policies were going up on websites. 

And then after 2000, things changed. The attacks of 2001 made 
privacy not nearly the same issue. A lot of other things were 
changing. So we have studies by academics on what happened to 
self-regulation after 2001. 

Most of the self-regulatory organizations in privacy disappeared. 
The others shrank drastically. That’s the history. 

Now there are some reasons for that. Part of it is the Internet 
economy changed. So the advertising economy went down and ef- 
fort went down. 

But if you look at the history, the history is, the pressure came 
off, and self-regulation dismantled to a very large extent. 

Now, some of the self-regulatory things continued. The ones that 
did tended to be when they were working together with govern- 
ment efforts, like under the Children’s Online Privacy Protection 
and CAN-SPAM. 

My third point, after the sort of theory and history is, what do 
we see right now with the Digital Advertising Alliance and, specifi- 
cally, the exceptions for market research and product development? 

The testimony goes through these in detail, looks at these mar- 
ket research and product development exceptions. They’re part of 
something in the report of the DAA that are called limitations on 
collection of multi-site data. The problem is, when you read them, 
there is no limitations on collection that I think are enforceable by 
the FTC. 

If a company makes these promises, I can’t figure out what they 
actually could be held to. And I came to DAA and talked to counsel 
in preparation for this hearing. We went through the language. 
And after that conversation, the DAA counsel specifically said that 
they are now willing to meet and discuss on market research and 
product development, and see what concrete changes can be made 
here. 

So industry once again is saying, “We’re going to work harder on 
this.” And I think this hearing helped to prompt attention to that, 
and I thank the Committee for that. 

Briefly, the fourth point before I conclude is, there is an area for 
win/win when it comes to the Internet and privacy, how to build 
that. And that’s the area of anonymization or de-identification. 

I think what happens here is, if we can do a better technical job 
of de-identifying, so that your name or your devices aren’t linked 
to what you’re doing, then that way we can use the data inten- 
sively, and we can have privacy protections. 



21 


I’m involved in a research project on that with the Future of Pri- 
vacy Forum. Some of the proposed statutes talk about this issue of 
anonymization. I think it’s an area for future work. 

So, in summary, we’re in a period right now where there’s strong 
interest in this from Congress, from the press, the White House, 
the Federal Trade Commission, on “do not track” and related 
issues. There are many intelligent people of good will working hard 
on these issues. 

This is a time when it is time to lock in some of the progress 
that’s being made. Issues come and go. This is the time when this 
issue is in people’s attention. 

I think this hearing and the effort you’re doing can really help 
to make progress for better privacy and also for a better Internet 
going forward. 

Thank you and I look forward to any questions. 

[The prepared statement of Mr. Swire follows:] 

Prepared Statement of Peter Swire, C. William O’Neill Professor of Law, 
Moritz College of Law, The Ohio State University 

Chairman Rockefeller, Ranking Member Hutchison, and distinguished Committee 
Members, thank you for inviting me to testify on “The Need for Privacy Protections: 
Is Industry Self-Regulation Adequate?” 

I am the C. William O’Neill Professor of Law at the Moritz College of Law of the 
Ohio State University. I began working on privacy and self-regulation in the mid- 
1990s. In 1999 I was named Chief Counselor for Privacy, in the U.S. Office of Man- 
agement and Budget. In that role, I was the first (and thus far the only) person 
to have government-wide responsibility for privacy policy. As Chief Counselor for 
Privacy, I worked on both government regulation and self-regulation initiatives to 
protect privacy while meeting other societal goals. Since then, I have continued to 
write and speak extensively on privacy and security issues. 

For this testimony, Committee Staff requested that I provide historical context 
about self-regulation and privacy. I was also asked to discuss the Digital Adver- 
tising Alliance’s recent announcements with respect to Do Not Track, including the 
exceptions included in the DAA approach. In preparing this testimony, I have spo- 
ken at length with industry leaders, privacy advocates, and technologists. This testi- 
mony reflects my personal views as a law professor, a former government official, 
and a person who tries to help develop effective privacy practices in the U.S. and 
globally. 

This testimony has four sections, with the key points set forth in the introduction: 

(1) The threat of government regulation spurs the adoption of self-regulation. In 
1997 I presented a paper on privacy and self-regulation at a conference hosted 
by the U.S. Department of Commerce in which I explained that self-regulation 
works best when there is a credible threat that government will step in if in- 
dustry does not do a good job. Simply put, the industry dynamic around self- 
regulation is entirely transformed when there is a credible threat of govern- 
ment intervention. 

(2) The history of self-regulation after the 1990s shows that self-regulation de- 
clined when the credible threat of government action eroded. When public pol- 
icy attention shifted away from privacy after the first wave of effort in the 
1990s, there was little new progress in self-regulation to match technological 
change. Indeed, critics who have examined the history have found greatly re- 
duced effort in self-regulation. Some self-regulatory efforts continued, and ini- 
tiatives that were linked with ongoing government involvement seem to have 
endured more than others. 

(3) The current wave of attention to online privacy has produced progress on Do 
Not Track, but with broad exceptions to the announced collection limits. The 
Digital Advertising Alliance’s recent announcement that members would 
honor a Do Not Track header is potentially important to providing users with 
choice about their privacy online. However, the current exceptions for market 
research and product development swallow the Do Not Track rule. In addition, 
counsel for the DAA has informed me that they are open to concrete discus- 
sion about how to further improve these definitions in practice. 



22 


(4) We should focus more attention on technical and administrative measures for 
de-identification in online privacy. The testimony concludes with a brief dis- 
cussion of an area for possible win/win scenarios when it comes to privacy and 
beneficial uses of data online. The idea is simple — technical and administra- 
tive safeguards can help ensure data is collected and used in ways that are 
not linked to the individual. 

In summary, there is currently strong attention on the part of Congress, the 
White House, and the Federal Trade Commission to Do Not Track and privacy 
issues for online advertising. With this public attention, now is the best opportunity 
to craft a good regime. When Do Not Track and related efforts are completed, there 
will be a temptation for policy makers to move onto other issues. That is why it is 
so important for the current Do Not Track standards and other current initiatives 
to be as well thought out as possible. 

The Threat of Government Regulation Spurs the Adoption of Self- 
Regulation 

In 1997 Secretary of Commerce William Daley and the National Telecommuni- 
cations and Information Administration hosted a conference on “Privacy and Self 
Regulation in the Information Age.” My paper for that conference, entitled “Mar- 
kets, Self-Regulation, and Government Enforcement in the Protection of Personal 
Information,” 1 emphasized that self-regulation works best when there is a credible 
threat that government will step in if industry does not do a good job. Simply put, 
the threat of government regulation is what spurs the adoption of self-regulation. 
As discussed in the next section, this conclusion matches the historical experience 
in privacy self-regulation. 

Self-regulation in privacy is a potentially useful approach where there are signifi- 
cant market failures as well as governmental failures. The 1997 paper highlighted 
a market failure that still applies to today’s online advertising market: “A chief fail- 
ure of the market approach is that customers find it costly or impossible to monitor 
how companies use personal information. When consumers cannot monitor effec- 
tively, companies have an incentive to over-use personal information: the companies 
get the full benefit of the use (in terms of their own marketing or the fee they re- 
ceive from third parties), but do not suffer for the costs of disclosure (the privacy 
loss to consumers).” 

The challenge for consumers to monitor online collection of data today in many 
ways is greater than it was for consumers in 1997. During that period, the Internet 
was dominated by first-party sites, where the user decided to surf at a particular 
website that might collect data. Today, collection by third parties is famously com- 
plex. 2 News stories in the Wall Street Journal “What They Know” series and else- 
where have shown that even the savviest users find it difficult to opt out of online 
tracking in a world where cookies respawn and a typical web page can send data 
to literally dozens of different companies. 

Along with these market imperfections, we know that government solutions are 
imperfect as well. Statutes and regulations are often slow to update to changed cir- 
cumstances. Needed statutes sometimes face gridlock. Rules can be over-broad (pro- 
hibiting net beneficial uses) and under-broad (permitting uses that consumers would 
object to in the market if they knew about them). 

These imperfections in market and regulatory approaches have repeatedly led 
those in the privacy debate to search for a third way, often called “self-regulation.” 
There are circumstances where self-regulation may he better than the alternative 
approaches. For instance, self-regulation is more tempting the greater the market 
and government regulatory failures. Some other factors that tend to favor self-regu- 
lation include: 

• Industry expertise that leads to better-informed rules; 

• Use for technical standards where many participants benefit from cooperation 
(i.e., network effects from adoption of standards for inter-connection or other 
purposes); 

• Protections against using self-regulation for cartel or other anticompetitive pur- 
poses; 


1 http .7 / ssrn.com / abstract=11472. 

2 A chart of the complex display advertising ecosystem is at page 4 of Comments of the World 
Privacy Forum regarding the Federal Trade Commission Preliminary Staff Report ‘Protecting 
Consumer Privacy in an Era of Rapid Change,” (2011), at http:l lwww.ftc.gov / os / comments / 
privacy report fraane work ! 00117 (>-58005. pdf . 



23 


• Incentives for the industry to enhance its reputation by adopting and complying 
with a self-regulatory regime; and 

• Effective mechanisms for enforcement through legal, reputational, or other 
means. 

We must also be realistic about the limits of self-regulation. Sometimes self-regu- 
lation has been chosen where those involved believed a statute or regulation would 
do a better job — even much-needed bills are often difficult to get through the legisla- 
tive process, and the Federal Trade Commission lacks Administrative Procedure Act 
rulemaking authority for most privacy issues. Where obstacles to a law are serious 
enough, self-regulation may be the second best option. 

A credible threat of government action is often the single greatest impetus to self- 
regulatory codes. Government action shapes the agenda, as we see today with this 
Senate hearing, and as the White House and FTC have shown on Do Not Track and 
other recent privacy issues. The threat of government action also transforms the 
dialogue inside industry meetings. When government is not interested, the person 
proposing the self-regulatory effort says: “Nothing is forcing us to do this, but the 
right thing would be to adopt a binding code of conduct.” When legislation and regu- 
lation are looming, the industry discussion is entirely different: “If we don’t do this 
ourselves, they will do it for us. We’ll be stuck with compliance for years to come, 
so we better have something good to say on this issue.” 

When the Credible Threat of Government Action Erodes so Do Self- 
Regulatory Programs 

The United States had a “first wave” of privacy policy activity related to the Inter- 
net from roughly 1996 to 2000. 3 Internet privacy then became a less prominent 
issue, especially after the attacks of September 11, 2001 focused national attention 
on uses of data to fight terrorism. We are now in a “second wave” of major attention 
to Internet privacy. This section of the testimony discusses lessons learned from 
what happened after the first wave subsided. When the credible threat of government 
action eroded, new self-regulatory activity essentially ceased and many self-regulatory 
programs eroded as well. 

This pattern matches the classic analysis of the “issue-attention cycle” by political 
scientist Anthony Downs, who wrote: “American public attention rarely remains 
sharply focused upon any one domestic issue for very long — even if it involves a con- 
tinuing problem of crucial importance to society.” 4 Downs emphasized that we 
should expect interest in an issue to wax and wane. Downs’ discussion is consistent 
with the thrust of my 1997 paper: “Over time, however, the legislative threat might 
ease. Agency attention may be directed elsewhere. As the threat of government ac- 
tion subsides, we might expect that self-regulatory efforts would also become more 
lax.” 

Examining the history of self-regulation after 2000, even defenders of self-regula- 
tion would agree that there was little new progress to match technological change, 
while critics are far harsher. Some self-regulatory efforts continued, and initiatives 
that were linked with ongoing government involvement seem to have lasted longer 
than others. 

The World Privacy Forum has written detailed reports about the failings of self- 
regulation after 2000. 5 Here are some key conclusions: 

• “We now have repetitive, specific, tangible examples of failed self regulation in 
the area of privacy. These examples are not mere anecdotes — these were signifi- 
cant national efforts that regulators took seriously.” 

• “Privacy self-regulation organizations were loudly promoted despite their lim- 
ited scope and substance.” 

• “Privacy self-regulation organizations were structurally weak, lacking meaning- 
ful ability to enforce their own rules or maintain memberships. Those who sub- 
scribed to self-regulation were usually free to drop out at any time.” 


3 Peter Swire, Why Privacy Legislation is Hot Now, Thehill.com, June 23, 2011, at hllp:j j 
thehill. com / component / content / article / 72-opinion / 1 68267 -why -privacy -legislation-is-hot-now . 

4 Anthony Downs, Up and Down with Ecology — the “Issue-Attention Cycle,” 28 Public Interest 
(Summer 1972), at 38. 

5 Robert Gellman & Pam Dixon, Many Failures: A Brief History of Privacy Self-Regulation in 

the United States, (2011), at http://www.worldprivacyforum.org/pdf/WPFselfregulationhis 
tory.pdf; World Privacy Forum, The Network Advertising Initiative: Failing at Consumer Protec- 
tion and Self Regulation, (2007), http:/ / www.worldprivacyforum.org / pdf / WPF NAI 
report _Nov2 2007fs.pdf. 



24 


Similar conclusions come from Chris Hoofnagle, a law professor at the University 
of California, Berkeley and co-chair of the annual Privacy Law Scholars Conference. 
Based on his extensive experience with self-regulation, Hoofnagle wrote the fol- 
lowing in 2011: “Self-regulatory groups in the privacy field often form in reaction 
to the threat of regulation. They create protections that largely affirm their current 
and prospective business practices. The consumer rights created are narrow. They 
do not update their standards in response to changes, until the regulatory spotlight 
returns. Nor do they address new actors that raise similar concerns but fall outside 
of the self-regulatory regime.” 6 Just this week, Professor Hoofnagle released a study 
of the 100 most popular websites, finding that 21 of them placed 100 or more cook- 
ies onto users’ computers, with 84 percent of the cookies placed by third parties. 7 

The World Privacy Forum highlights five prominent examples of self-regulation 
from the first wave. 8 I quote these important examples verbatim, and then offer ob- 
servations: 

1. “The Individual Reference Services Group (IRSG) was announced in 1997 as a 
self-regulatory organization for companies that provide information that identi- 
fies or locates individuals. The group terminated in 2001, deceptively citing a 
newly passed regulatory law that made self-regulation unnecessary. However, 
that law did not cover IRSG companies.” 

2. “The Privacy Leadership Initiative began in 2000 to promote self regulation 
and to support privacy educational activities for business and for consumers. 
The organization lasted about two years.” 

3. “The Online Privacy Alliance began in 1998 with an interest in promoting in- 
dustry self regulation for privacy. OPA’s last reported activity appears to have 
taken place in 2001, although its website continues to exist and shows signs 
of an update in 2011.” 

4. “The Network Advertising Initiative had its origins in 1999, when the Federal 
Trade Commission showed interest in the privacy effects of online behavioral 
targeting. By 2003, when FTC interest in privacy regulation had evaporated, 
the NAI had only two members. Enforcement and audit activity lapsed as well. 
NAI did nothing to fulfill its promises or keep its standards up to date with 
current technology until 2008, when FTC interest increased.” 

5. “The BBBOnline Privacy Program began in 1998, with a substantive operation 
that included verification, monitoring and review, consumer dispute resolution, 
a compliance seal, enforcement mechanisms and an educational component. 
Several hundred companies participated in the early years, but interest did not 
continue and BBBOnline stopped accepting applications in 2007.” 

Based on my own experience and some interviews conducted in the days leading 
up to this hearing, I offer the following observations on these five prominent exam- 
ples. These observations are subject to the disclaimer about the limited time I have 
had to double-check each factual situation: 

1. Individual References Services Group: A lawyer who worked with the IRSG 
said that passage of Gramm-Leach-Bliley was indeed the key reason for the 
group’s demise. That law did set new limits on sales by financial institutions 
to data brokers. It did not, however, directly cover most activities of the data 
brokers who were members of IRSG. My impression is that the data broker in- 
dustry felt the political pressure was off by the time the group terminated. 
FTC Commissioner Julie Brill has recently emphasized the need for new pri- 
vacy initiatives concerning data brokers. 

2. Privacy Leadership Initiative: According to published reports at the time of its 
creation in 2000, the PLI planned to spend $30 to $40 million to support self- 
regulation rather than have online privacy legislation. Because political atten- 
tion to the issue soon faded, the sponsors apparently believed there was little 
reason to continue that level of effort after 2002. 

3. Online Privacy Alliance: The OPA was highly visible during the privacy de- 
bates in 1998-2000. If the online privacy issue had remained prominent, I 
think it is likely that the OPA would have remained much more active for con- 
siderably longer. 


6 Chris Hoofnagle, Can Privacy Self-Regulation Work for Consumers l, Jan. 26, 2011, http:/ j 
www.techpolicy.com/CanPrivacySelf-RegulationWork-Hoofnagle.aspx. 

7 James Temple, Web Privacy Census Shows Tracking Pervasive, SFGate, June 26, 2012, at 
http:/ / www.sfgate.com / default / article / Web-Privacy -Census-shows-tracking-pervasive- 
3663642.plip. 

8 Gellman & Dixon, supra. 



25 


4. Network Advertising Initiative: A senior person who worked with the NAI con- 
firmed the low membership number (two) by 2002, after the considerable fan- 
fare accompanying negotiation of the NAI code in 1999 and 2000. This source 
gave a different reason, however, for this decline: the collapse of the online ad- 
vertising market when the dot.com bubble burst. 

5. BBBOnline Privacy Program. One source explained its demise this way: “Its 
business model didn’t work.” It is unclear what combination of factors contrib- 
uted to its demise. However, factors likely included a poor fundraising struc- 
ture along with decreased demand for privacy services and a lack of political 
pressure for privacy protection. 

As with any description of recent history, different observers are likely to empha- 
size different aspects of this record. My own view, however, is that the most opti- 
mistic reasonable view of privacy self-regulation after 2000 was that there was little 
progress until privacy began to get “hot” again in the last few years. These five 
prominent self-regulatory examples are consistent with the view that self-regulatory 
effort fades as the credible threat of government intervention fades. All of these pro- 
grams garnered headlines when there was political focus on protecting privacy. All 
of these programs also disappeared or shrunk substantially when political attention 
focused elsewhere. 

With that said, it is useful to examine areas of self-regulation that persisted after 
2000: 

1. Website privacy policies. I have previously written about the effectiveness of the 
government efforts in the late 1990s to encourage commercial websites to post 
privacy policies. 9 Within three years, the portion of commercial sites with pri- 
vacy policies rose from only 12 percent to a resounding 90 percent, without leg- 
islation. Commercial websites overwhelmingly continued to post privacy poli- 
cies through the 2000s, encouraged in part by a 2003 California statute that 
requires such polices for companies targeting consumers there. The existence 
of these policies is central to the FTC’s ability to bring enforcement actions for 
deceptive trade practices. It is true, of course, that the quality of privacy poli- 
cies is variable and often low. But this “self regulatory” practice of having pri- 
vacy policies has remained in effect, and is now extending to the mobile appli- 
cation space. 

2. CAN-SPAM. In the late 1990s and early 2000s, responsible companies sending 
commercial e-mail developed codes of good practice. A fundamental element of 
these practices was to permit consumer choice about receiving commercial e- 
mail from a particular company. Congress passed the CAN-SPAM Act in 2003. 
The law is subject to many criticisms, notably that (as with any law) it does 
not create a technological blockade against malicious spammers. With that 
said, I submit that the law has been very successful in a core aspect of con- 
sumer choice — CAN-SPAM requires companies to include an easy unsubscribe 
feature in each e-mail. I personally use this feature regularly, and legitimate 
companies stop sending me e-mail when I unsubscribe. In this instance, a self- 
regulatory effort was essentially incorporated into statute, and the unsubscribe 
feature continues to work. The Direct Marketing Association has also contin- 
ued with its E-mail Preference Service, going beyond CAN-SPAM minimum re- 
quirements. 10 

3. Safe Harbor. The U.S.-E.U. Safe Harbor was negotiated in 2000. Companies 
become subject to the Safe Harbor if they certify their membership to the De- 
partment of Commerce, and participants are considered to have “adequate” pri- 
vacy protections under the E.U. Data Protection Directive. Self-regulation is a 
prominent part of the Safe Harbor because participants must establish an 
independent recourse mechanism — must select a self-regulatory program — to 
investigate unresolved complaints. 11 Views about the effectiveness of the Safe 
Harbor vary widely. My own view is that there was a slow start initially for 
adoption of the Safe Harbor, but thousands of companies have entered it over 
time, and its principles are widely used even by companies that have not for- 
mally certified. The Safe Harbor has endured fairly well in contrast to the 
purely private-sector self-regulatory efforts; its official nature, furthermore, has 


9 Peter Swire, Trustwrap: The Importance of Legal Rules to Electronic Commerce and Internet 
Privacy, 52 Hastings L.J. 847 (2003), at http:/ l ssrn.com / abstract=424 167. 

10 http: / / www.dmaconsumers.org / consumers / optoutform emps.shtml. 

11 See http:! / export.gov / safeharbor / eu / eg main 018495. asp. 



26 


created a helpful framework for ongoing discussions and conferences for the 
relevant U.S. and E.U. officials and other stakeholders. 

These three examples all feature a mixed model of self-regulation, where self-reg- 
ulatory codes are a precursor to or component of government action. This mixed 
model is sometimes called “co-regulation,” to emphasize the explicit role the govern- 
ment plays along with industry and other stakeholders. Historical evidence from the 
first wave of Internet privacy, however, suggests that co-regulatory efforts survived 
better through the highs and lows of the issue-attention cycle than did pure self- 
regulatory approaches. 

The current wave of attention to online privacy has produced progress on Do Not 
Track, but with broad exceptions to the announced collection limits. 

In the last few years, online privacy has become a hot issue again. Three major 
industry trends are driving this process: the rise of Facebook and other social media 
sites; the rapid growth in mobile devices, with their implications for location pri- 
vacy; and the online advertising issues that are the subject of this hearing. 12 These 
industry trends have been extensively covered in the press. These technological and 
market changes have prompted political leaders to respond. The E.U. has promul- 
gated a directive limiting use of online cookies and now its draft omnibus Data Pro- 
tection Regulation. The Administration issued its Green Paper and now its Con- 
sumer Online Privacy Bill of Rights. The FTC has been very active on privacy, and 
has focused public attention on Do Not Track. Congress has devoted much more 
time to privacy, including today’s hearing. 

The issue-attention cycle has returned to online privacy. Predictably, so has self- 
regulation. The Network Advertising Initiative has recovered from its slump in the 
early 2000s to reach a record membership and level of activity. The Digital Adver- 
tising Alliance has spent an enormous number of hours bringing to the table a wide 
range of players who have never before worked in such detail on privacy issues. 
Later this month, the Commerce Department will convene a multistakeholder proc- 
ess to address mobile application privacy issues. 

Committee Staff have specifically asked me to discuss the Digital Advertising Alli- 
ance’s recent announcements with respect to Do Not Track, including the exceptions 
included in the DAA approach. In my view, the DAA’s announcement to honor a Do 
Not Track header is potentially important to providing users with choice about their 
privacy online. In their current form, however, the exceptions for market research and 
product development swallow the Do Not Track rule. In addition, counsel for the 
DAA has informed me that they are open to concrete discussion about how to further 
improve these definitions in practice. 

The DAA is a coalition of online advertising organizations, including the Associa- 
tion of National Advertisers, whose President, Bob Liodice, is testifying here today. 
In 2009, the DAA released “Self-Regulatory Principles for Online Behavioral Adver- 
tising,” which contained principles on education, transparency, consumer control, 
data security, material changes, sensitive data, and accountability. 13 In November 
2011, the DAA released “Self-Regulatory Principles for Multi-Site Data,” which ex- 
tended the 2009 principles beyond online behavioral advertising and also defined a 
number of important exceptions. In connection with the White House privacy event 
in February, the DAA agreed that its members would comply when consumers se- 
lected Do Not Track in their browsers, with enforcement by the FTC. 14 

These actions by the DAA have accompanied lengthy negotiations on a standard 
for Do Not Track in the World Wide Web Consortium (W3C). The W3C is a re- 
spected organization that has been instrumental to promulgation of many of the 
technical standards at the core of the modern Internet. The W3C process has in- 
volved privacy advocates, technologists, and industry leaders, including members of 
the DAA. I have not personally attended the W3C meetings, but I have stayed in 
close contact with participants from all the major perspectives. The W3C working 
group met for three days last week in Seattle. Although there has been important 
progress toward consensus on some issues, the scope of the exceptions has remained 
controversial, including but not limited to the exceptions for market research and 
product placement. 


12 Peter Swire, Why Privacy Legislation is Hot Now, Thehill.com, June 23, 2011, at http:! I 
thehill. com / component / content / article / 72-opinion / 1 68267 -why-privacy-legislation-is-hot-now. 

13 http: I / www.aboutads.info / resource / download / seven-principles-07-01-09.pdf 
14 The White House, We Can’t Wait: Obama Administration Unveils Blueprint for a “Privacy 
Bill of Rights” to Protect Consumers Online, Feb. 23, 2012, at http:! lwww.whitehouse.gov/the- 
press-office / 2012 / 02 / 23 / we-can-t-wait-obama-administration-unveils-blueprint-privacy-bill- 
rights. 



27 


To place these exceptions in context, the consumer control part of the 2009 DAA 
principles enables “users of websites at which data is collected for online behavioral 
advertising purposes the ability to choose whether data is collected and used or 
transferred to a non-affiliate for such purposes.” The 2011 DAA principles go further 
by saying that third parties and service providers “should provide consumers with 
transparency and consumer control” for purposes other than online behavioral ad- 
vertising. Along with these limits on collection of multi-site data, the 2011 principles 
restrict the use of multi-site data for eligibility for employment, credit, health care, 
or insurance. 

The 2011 principles contain important exceptions to the general rule of trans- 
parency and consumer control. One category of exceptions is for “operations and sys- 
tem management purposes.” Those purposes appear quite broad: “intellectual prop- 
erty protection; compliance, public purpose and consumer safety; authentication, 
verification, fraud prevention and security; billing or product or service fulfillment; 
or Reporting or Delivery.” There is also an exception for data that will go through 
a de-identification process, as discussed further below. 

I will focus my remarks on the remarkably broad exceptions in the 2011 DAA 
principles, “for market research or product development.” These exceptions are so 
open-ended that I have not been able to discern any limits on collection under them. 
Market research includes “research about consumers.” 15 That would seem to include 
keeping track of every click made by a consumer. Market research also includes 
analysis of “consumer preferences and behaviors.” Again, if I were an FTC enforcer, 
I don’t know what lies outside the scope of the exception. The definition of product 
development is similarly broad. It includes analysis of “the characteristics of a mar- 
ket or group of consumers.” To analyze a “group of consumers” would seemingly per- 
mit collecting each click made by those consumers. Similarly, product development 
includes analysis of “the performance of a product, service, or feature.” 

The 2011 DAA principles place one limit on information collected under the mar- 
ket research and product development exceptions. They state that the terms do not 
“include sales, promotional, or marketing activities directed at a specific computer 
or device.” Thus, companies should not collect information from Alice or Bob under 
the exceptions, and then use their specific knowledge about Alice or Bob to target 
their computers or other devices. The scope of this consumer protection, however, 
is currently unclear. The principles do permit any contact back to the computer of 
Alice or Bob “based on an aggregate use of data.” The current principles do not offer 
further guidance on what is permitted based on that aggregate use of data. 

After reading the text of these exceptions to prepare this testimony, I then spoke 
about experts from both industry and the advocacy community to test the accuracy 
of my reading. My understanding, under the 2011 DAA principles, is that under the 
market research and product development exceptions: 

• Companies have no transparency requirement; 

• Companies have no consumer choice requirement; 

• Companies can keep the data indefinitely; 

• Companies can identify data that is collected without the user’s name, and com- 
bine it with identified data; 

• Companies can combine their data with data from other sources, to build up 
a more detailed profile; and 

• Companies can share data with other third parties so long as it is not used to 
market back to the specific computer or device. 

To summarize, the 2011 DAA principles have a section called “Limitations on the 
Collection of Multi-Site Data.” The market research and product development excep- 
tions are part of that section. As drafted, it is difficult to see what limitations on 
collection could be enforced given the breadth of the exceptions. 

What should be done in light of these findings? The counsel for the DAA, has in- 
formed me that they are open to concrete discussions about how to further improve 
these definitions in practice. Counsel specifically understood that I would state that 
in this testimony. 

My view is that considerably more work needs to be done in defining the market 
research and product development exceptions. As one person, I don’t presume to 


15 “Market Research means the analysis of: market segmentation or trends; consumer pref- 
erences and behaviors; research about consumers, products, or services; or the effectiveness of 
marketing or advertising. A key characteristic of market research is that the data is not re-iden- 
tified to market directly back to, or otherwise re-contact a specific computer or device. Thus, 
the term “market research” does not include sales, promotional, or marketing activities directed 
at a specific computer or device.” 



28 


know the answers to these complex questions. I do believe, however, that partici- 
pants can get helpful insights from the way that market research and research gen- 
erally have been handled in other contexts that implicate privacy. For instance, tele- 
phone market research has existed for decades. My understanding is that there are 
well-developed practices, and perhaps codes of conduct, for protecting confidentiality 
in telephone market research. To my knowledge, there have not been recent scan- 
dals about whether Gallup or some other research firm has re-identified an individ- 
ual’s response to a telephone survey. Based on discussions with participants in the 
W3C process, these offline market research precedents have not been discussed at 
the W3C. Perhaps the online community can learn from the historical practice for 
offline market research. 

Similarly, we have extensive experience on how to define and conduct research 
in other settings. Many Federal agencies gather data for statistical research, from 
the Census to economic statistics and many other purposes. These agencies have 
years of experience of how to get needed statistical information while preserving 
confidentiality, and the current online advertising debates should draw on that ex- 
pertise. 16 Under the HIPAA medical privacy rule, there are at least four methods 
for conducting research on protected health information: (1) individual consent; (2) 
de-identification of the data; (3) with authorization from an Institutional Review 
Board or Privacy Board; or (4) on limited data sets, where the researchers agree to 
comply with confidentiality conditions in order to get the data. 

I am not saying that the rules for medical research should apply online; instead, 
the point is that researchers have used data intensively in many settings other than 
online advertising. The online advertising debates should be better informed by the 
institutional options that have been developed in areas such as offline market re- 
search, government statistics, and medical research. 

Improve & Employ Technical and Administrative Measures for 
De-Identification in Online Privacy 

Before concluding, I will briefly discuss an area where there may be important 
win/win outcomes Both for privacy and beneficial uses of data about online activi- 
ties. With the Future of Privacy Forum, I am conducting a research project on de- 
identification in the online advertising space. We have received expressions of inter- 
est from industry, privacy advocates, and technologists. 

The idea is simple — we should employ technical and administrative safeguards so 
that data is collected and used in ways that are not linked to the individual. If we 
can build effective safeguards, then data can be used more intensively while pro- 
tecting against privacy problems. 

Doing de-identification well is a challenging problem, but I believe we are now in 
a time when more work is needed about how to do it online. In its recent report, 
the FTC proposed a promising approach to de-identification, which includes tech- 
nical measures as well as public statements from companies that they will not re- 
identify individuals, with those statements being enforceable under the FTC Act. 17 
The 2011 DAA principles contemplate greater use of de-identification, where “an en- 
tity has taken reasonable steps to ensure that the data cannot reasonably be re-as- 
sociated or connected to an individual.” I have started to write on this topic, 18 and 
recently submitted comments to the Department of Commerce about how de-identi- 
fication could be a candidate for a multi-stakeholder process. 19 

Due to its highly technical nature, it is difficult to craft a statute that states spe- 
cifically how to achieve de-identification. To date, there has not been enough work 
to understand what mix of technical and administrative safeguards will best protect 
privacy while also enabling beneficial uses of information. I hope that many parties 
will focus more attention on how to build de-identification more effectively into our 
Internet practices. 

Conclusion 

In conclusion, let me state my optimism about the intelligence, good faith, and 
willingness to work hard on these issues in industry, the privacy advocacy commu- 
nity, and among technologists. The online advertising eco-system today is much 
more complex than in the 1990s. There are major institutional challenges in under- 
standing the technology and market forces, and coordinating a response. 


16 For a history of confidentiality and Federal statistics, see Douglas J. Sylvester & Sharon 
Lohr, Counting on Confidentiality: Legal and Statistical Approaches to Federal Privacy Law 
After the USA PATRIOT Act, 2005 Wise. L. Rev. 1033. 

17 Federal Trade Commission, Protecting Consumer Privacy in an Era of Rapid Change (2012), 
at http:/ / ftc.gov / os / 2012 / 03 / 120326privacyreport.pdf '. 

18 http: / / www.peterswire. net / psspeeches201 l.htm. 

19 http: l / www. ntia.doc.gov / federal-register-notice / 2012 / comments-multistakeholder -process. 



29 


In making progress on such issues, we should be informed by the history. When 
Congress and agencies focus on an issue, the attention often brings out the best in 
industry. The public attention empowers technologists and other privacy experts 
within companies and industry groups to convince their colleagues to take effective 
measures to protect privacy. By contrast, if the pressure is off, the privacy experts 
within industry find it more difficult to get their colleagues to protect personal infor- 
mation. 

Getting online privacy right is important for each of us as Americans. In testi- 
mony last fall before the House Energy & Commerce Committee, I explained that 
a “we don’t care about privacy” approach from the United States would create risks 
for American jobs, exports, and businesses. 20 

More simply, I personally would not like to have an Internet where I believed that 
each moment of my browsing might easily be breached and shown to the entire 
world. For you and your families, it would reduce the quality of the Internet if you 
thought that any page you visited needed to be treated like something that might 
be released to the public. That is not the experience we have today. However, if we 
do not foster good practices, then we risk losing confidence in our use of the Inter- 
net. 

Thank you once again for the invitation to testify today. I am happy to respond 
to your questions. 

Biographical Information 

Peter Swire is the C. William O’Neill Professor of Law at the Moritz College of 
Law of the Ohio State University. He began working on privacy and self-regulation 
in the mid-1990s. In 1998, he was the lead author, with Robert Litan, of “None of 
Your Business: World Data Flows, Electronic Commerce, and the European Privacy 
Directive,” published by the Brookings Institution. In 1999, he was named Chief 
Counselor for Privacy, in the U.S. Office of Management and Budget. In that role, 
he was the first (and thus far the only) person to have government- wide responsi- 
bility for privacy policy. 

As Chief Counselor for Privacy, he worked on both government regulation and 
self-regulation initiatives to protect privacy while meeting other societal goals. On 
the government regulation side, he was the White House lead on the HIPAA med- 
ical privacy rule and on the financial privacy rules implementing the Gramm-Leach- 
Bliley Act. For self-regulation, he worked extensively in connection with the Net- 
work Advertising Initiative code of 2000, and helped negotiate the Safe Harbor 
agreement for data flows between the E.U. and the U.S., including a major role 
under the Safe Harbor for self-regulatory associations. 

In 2001, Swire returned to law teaching. He has since continued to write and 
speak extensively on privacy and security issues, with publications and speeches 
available at www.peterswire.net. In 2009 and 2010 he was Special Assistant to the 
President for Economic Policy, serving in the National Economic Council under Dr. 
Lawrence Summers. In 2010, he once again returned to law teaching at The Ohio 
State University. He lives in the D.C. area. 

Senator Klobuchar. Thank you very much. 

Mr. Szoka? 

STATEMENT OF BERIN SZOKA, PRESIDENT, TECHFreedom 

Mr. Szoka. Chairman Rockefeller, members of the Committee, 
thank you again for inviting me here to testify about privacy today. 

First, at the Progress and Freedom Foundation and now at 
TechFreedom, I’ve worked for over 4 years to articulate from the 
think-tank world an alternative perspective on privacy that 
stresses the enormous value created by data, while recognizing the 
need to prevent its abuse. 

While we’re all here engaged in fixing the problems, we mustn’t 
lose sight of the forest for the trees. The benefits of collection and 
the use of data to date have dramatically outstripped its costs of 
the relatively few abuses. 


20 Peter Swire, Internet Privacy: The Impact and Burden of EU Regulation, Statement before 
the House Energy & Commerce Committee, Sept. 15, 2011, at http : / / www.americanprogress 
action.org/ issues / 2011 / 09 /swire testimony.html. 



30 


So in considering how to address abuses, I agree: self-regulation 
is not enough. So-called baseline legislation is, indeed, necessary. 

But such a baseline already exists. Section V empowers the FTC 
to prohibit as unfair uses of data that do more harm than good and 
that consumers themselves cannot reasonably avoid. Further, the 
act empowers the FTC to enforce self-regulation by holding compa- 
nies to their promises. 

Above this baseline, we’ve built a layered approach to privacy 
protection, including narrow legislation to address particularly 
thorny problems. But the genius of American law is our largely ev- 
olutionary, common-law model, addressing problems as they arise, 
and learning from past successes and failures, rather than attempt- 
ing to design a comprehensive regulatory scheme wholesale. 

Our system is what Richard Epstein famously called “Simple 
Rules for a Complex World.” 

The FTC’s effectiveness should be measured not by counting set- 
tled cases but in development of a quasi-common law of privacy. 
Yet today, companies have only FTC complaints and consent de- 
crees with little analysis to guide them. 

I suggest the agency take four steps. First, explain its analysis 
and consent decrees. Second, issue no-action letters when deciding 
not to sue. Third, issue advisory opinions upon request to guide in- 
dustry on how the agency might evaluate new privacy practices. 
And fourth, issue guidelines explaining how the agency has applied 
unfairness and deception in past cases and how it plans to do so 
in the future, in particular, clarifying the boundaries of privacy 
harm. 

Congress should encourage the FTC to do these things and en- 
sure that they have the resources necessary to do these things and 
to keep pace with technological change. But policymakers and, I 
hasten to add, everyone else necessarily lack the expertise and 
foresight to freeze in place today fair information practices. The 
technologies involved are simply evolving too rapidly and the trade- 
offs are too complex. 

This is why the White House stressed the flexibility, speed, and 
decentralization that only self-regulation can provide. 

Congress should, however, carefully scrutinize how the FTC has 
used soft power to influence self-regulation, and how that power 
has reinforced incumbents’ market power. Nowhere is this more 
true or potentially more dangerous than in W3C’s “do not track” 
process. 

As FTC Commissioner Tom Rosch has noted, the major browser 
firms’ interest in developing “do not track” mechanisms begs the 
question of whether and to what extent these major browser firms 
might act strategically and opportunistically. 

The W3C process has rested on the principle of user choice. 
Microsoft breached this consensus when it decided in its new IE 10 
browser that it would set “do not track” headers by default. Default 
“do not track” on doesn’t empower users any more than would set- 
ting ad blocking by default. Default “do not track” on simply em- 
powers browser makers to force fundamental changes in the Inter- 
net’s ecosystem. 

From today’s low friction, flat ecosystem of independent sites and 
services, funded by generally impersonal data collection, default 



31 


“do not track” on could take us to an Internet with fewer players 
who collect more data with less transparency. 

In the worst case, opt-in dystopia, consumers could be made sig- 
nificantly worse off in three ways. 

First, if publishers have to rely on micropayments or subscrip- 
tions, their revenues will likely drop. 

Ironically, second, in the name of privacy, we could actually in- 
crease user tracking, because those sites and services that do ob- 
tain opt-ins will likely collect more personal data. 

And third, few publishers in data-driven companies will be able 
to obtain opt-in exceptions to “do not track.” This will force unprec- 
edented consolidation in the Internet ecosystem. And thus, with the 
best of intentions, we may be blithely heading toward reshaping 
the Internet. 

But even more troubling is the way we’re doing it. This isn’t the 
result of a bottom-up evolutionary process. It’s more like collusion 
between government and powerful market players. It is not self- 
regulation but co-regulation. 

It is the European model, where governments steer by extra legal 
threats, and the industry merely rows; where government encour- 
ages powerful incumbents who use market power to serve their 
own agendas with government’s blessing. 

Given the FTC’s heavy involvement in the W3C process, Con- 
gress should ask the FTC to explain what exactly its role has been, 
especially in Microsoft’s decision to defy W3C’s principle of user 
choice. 

No one would deny that regulatory agencies play a significant 
role in encouraging self-regulation. But with due respect to my 
friend and colleague, Peter, the extra legal intimidation that he 
and Tim Wu have endorsed is deeply dangerous. 

If government can regulate the Internet without statutory au- 
thority or judicial review simply because its goals seem noble, the 
rule of law does not exist online. 

The better way for the FTC to encourage self-regulation is 
through the legal means I have suggested — building a quasi-com- 
mon law subject to clear standards and subject to review, if not by 
the courts than by Congress. 

Again, thank you for inviting me here today. And I look forward 
to your questions. 

[The prepared statement of Mr. Szoka follows:] 

Prepared Statement of Berin Szoka, President, TechFreedom 1 

I. Introduction 

Chairman Rockefeller, Ranking Member Hutchison — thank you for inviting me to 
testify about privacy again before your Committee. As President of TechFreedom, 
a non-profit think tank, and before that, as Director of the Center for Internet Free- 
dom at The Progress & Freedom Foundation, I have worked for over four years to 
articulate an alternative perspective on privacy that recognizes both the enormous 
value created by data and the need to prevent abuses of data. The debate thus far 
has systematically underestimated the benefits to consumers from the use of per- 


1 Berin Szoka (@BerinSzoka) is President of TechFreedom, a non-profit, non-partisan tech- 
nology policy think tank. He has written and commented extensively on consumer privacy. In 
particular, he testified on Balancing Privacy and Innovation before the House Energy & Com- 
merce Committee, Subcommittee on Commerce, Manufacturing, and Trade on March 29, 2012, 
available at http:! / tch.fm / KCrz8k, (“Szoka Testimony”). 



32 


sonal data to tailor advertising, develop new products, and conduct research, while 
overstating the dangers of data, which remain largely conjectural. 

With the best of intentions, we are heading towards reshaping the fundamentals 
of the Internet — in ways that may have serious negative unintended consequences 
for privacy, the sites and services consumers enjoy, and the health of the ecosystem. 
But the way we’re doing it may be even more troubling. This is not the result of 
a bottom-up evolutionary process, but of collusion between government and powerful 
market players. We are heading for opt-in dystopias. 

II. The American Layered Approach to Privacy 

I agree that self-regulation is not enough, that so-called “baseline” legislation is, 
indeed, necessary. I disagree, however, that new baseline legislation is needed. We 
already have baseline consumer protection legislation: Section V of the Federal 
Trade Commission Act 2 empowers the FTC not only to enforce self-regulation by 
holding companies to their promises, but also to prohibit as “unfair” uses of personal 
data that do more harm than good and that consumers themselves cannot reason- 
ably avoid. States have similar legislation, empowering Attorneys General to act, 3 
and class action lawsuits also deter privacy violations. 4 

On top of this baseline, we have built a layered approach to privacy protection. 
Where the FTC’s authority has proven inadequate, Congress has enacted legislation 
to address specific problems, such as the Children’s Online Privacy Protection Act 5 
and the Fair Credit Reporting Act. 6 But in general, American law follows a common 
law model, addressing problems on a case by case basis rather than attempting to 
design a comprehensive regulatory scheme adequate for both present and future. 
This is what Richard Epstein famously called “Simple Rules for a Complex World.” 7 
The Electronic Frontier Foundation’s Mike Godwin put it best in 1998 when he said: 
“It’s easier to learn from history than it is to learn from the future. Almost always, 
the time-tested laws and legal principles we already have in place are more than 
adequate to address the new medium.” 8 

Applying baseline principles of consumer protection is the best way to address 
new privacy challenges, given the ever-changing nature of the technologies involved 
and the inevitable trade-offs among competing conceptions of privacy, and between 
privacy and other values — such as: 

• Funding for innovative media and services that would not otherwise be avail- 
able; 

• The diversity and competitiveness of an Internet ecosystem with low barriers 
to entry; 

• The ease of use for consumers of an Internet that is not divided by checkpoints 
asking for consent or payment as users cross domain name boundaries; 

• The innovation driven by discoveries made possible by analyzing what some 
have pejoratively labeled “Big Data,” and so on. 

Policymakers simply do not have the expertise or foresight to make complex rules 
to decide these trade-offs — or the time to become experts in complex technologies. 
So it is here that self-regulation plays a critical role in our layered approach to pri- 
vacy. As the White House privacy report acknowledged, self-regulation alone “can 
provide the flexibility, speed, and decentralization necessary to address Internet pol- 
icy challenges.” 9 

In short, self-regulation is necessary, but not sufficient. It must work in tandem 
with the enforcement of existing laws — which I believe can be enhanced significantly 
without new legislation. But we must also understand that self-regulation is merely 


2 15 U.S.C. §45 (2006). 

3 Henry N. Butler & Joshua D. Wright, Are State Consumer Protection Acts Really Little-FTC 
Acts?, 63 Fla. L. Rev. 163, 165 (2011) (discussing state laws empowering attorneys general to 
“combat consumer fraud and other deceptive practices”). 

4 Glenn G. Lammi, "Thanks, Google Buzz: Class Action Lawyers Celebrate Impending Fees,” 
Forbes, Nov. 3, 2010, available at http://www.forbes.com/sitesldocketl2010llll03lthanks- 
google-buzz-class-action-lawyers-celebrate-impending-fees / . 

5 Children’s Online Privacy Protection Act of 1998, Pub. L. No. 105-277, 112 Stat. 2581-728 
(codified in 15 U.S.C. §§6501-6506). 

6 Fair Credit Reporting Act of 1970, Pub. L. 91-508; 84 Stat. 1128 (codified in 15 U.S.C. 
§ 1681). 

7 Richard A. Epstein, Simple Rules for a Complex World (1995). 

8 Quoted in Virginia Postrel, The Future and Its Enemies: The Growing Conflict Over Cre- 
ativity, Enterprise, and Progress at 48 (Touchstone 1998). 

9 The White House, Consumer Data Privacy in a Networked World: A Framework for Pro- 
tecting Privacy and Promoting Innovation in the Global Digital Economy at 23, http:/ j 
www.whitehouse.gov/sites / default / files / privacy-fmal.pdf '. 



33 


one part of a broader process by which market forces discipline corporations in how 
they collect, process, use and distribute personal data about us. Together, this lay- 
ered approach is the best way to maximize the enormous benefits offered by the use 
of personal data while minimizing its occasional abuse. 

III. Market Regulation of Privacy 

Companies do not operate in a vacuum. They compete not just for customers, but 
to protect their good name in the eyes of business partners, shareholders, media 
watchdogs, potential employees, and citizens themselves. Nowhere in the economy 
is this more true than online, where companies compete both for consumers’ atten- 
tion and for the trust of business partners, especially advertisers. 

The social media revolution has made it possible for anyone concerned about on- 
line privacy to blow the whistle on true privacy violations. That whistle may not 
always be loud enough to be heard, but it’s more likely in this sector than any other. 
Traditional media sources like the Wall Street Journal have played a critical role 
in attracting attention to corporate privacy policies through “What They Know” se- 
ries, 10 which has been popularized using social media tools. Reporters like Julia 
Angwin may rightly lament the failure of self-regulation in any particular case, but 
the very act of their criticism is essential for market regulation to function, because 
they are powerful actors in the marketplaces of ideas and reputation. 

Earlier this year, social media tools were directed at Congress — to great effect — 
to express grassroots concern about the impact of proposed copyright legislation. 
While some Internet companies certainly helped to promote these messages, even 
were it not for their involvement, this experience would demonstrate how effective 
social media activism can be. There is no reason why such techniques cannot be 
used effectively against major Internet companies themselves, just as Facebook 
users have used Facebook itself to rally opposition to Facebook on privacy concerns 
such as its Beacon ad targeting system. 11 “The herd will be heard,” as Bob Garfield 
memorably put it in his 2009 book, The Chaos Scenario: Amid the Ruins of Mass 
Media. 12 The Choice for Business Is Stark: Listen or Perish. Among the most impor- 
tant factors driving companies to participate constructively in the multi-stakeholder 
process, to forge meaningful privacy protections, and to abide by them is the fear 
of a Wall Street Journal article, a social media frenzy, or organized campaign de- 
manding action on a particular privacy problem. 

As Wayne Crews of Competitive Enterprise Institute put it in testimony before 
this committee in 2008: 

Businesses are disciplined by responses of their competitors. Political regulation 
is premature; but “self-regulation” like that described in the FTC principles is 
a misnomer; it is competitive discipline that market processes impose on ven- 
dors. Nobody in a free market is so fortunate as to be able to “self regulate.” 
Apart from the consumer rejection just noted, firms are regulated by the com- 
petitive threats posed by rivals, by Wall Street and intolerant investors, indeed 
by computer science itself. 13 

IV. Enhancing the American Layered Approach to Privacy 

As I argued in March in testimony before the House Energy & Commerce Com- 
mittee’s Subcommittee on Commerce & Manufacturing, 14 the FTC could do much 
more with its existing authority to build an effective quasi-common law of privacy 
in three ways. 

First, Congress should assess whether the FTC has adequate institutional re- 
sources and expertise. If the FTC had heeded my fellow panelist Peter Swire’s call 


10 See generally What They Know, Wall St. J., 2012, http :/ lhlogs.wsj.com/wtk/. 

11 See, e.g., Kirsten E. Marti, Facebook (A): Beacon and Privacy 3 (2010), available at http:/ / 

www.darden.virginia.edu/corporate-ethicslpdflFacehook%20_A_husiness ethics-case hri- 

1006a.pdf C The online community responded immediately to this intrusion. MoveOn.org created 
a Facebook group “Petition: Facebook, stop invading my privacy!” that stated: “Sites like 
Facebook must respect my privacy. They should not tell my friends what I buy on other sites — 
or let companies use my name to endorse their products — without my explicit permission.” The 
Facebook group and petition had 2,000 members within the first 24 hours and eventually grew 
to over 80,000 names.” [internal citations omitted]). 

12 James Cherkoff, “The Joy of a Gated Community,” The Chaos Scenario, June 1, 2010, 
http:/ / thechaosscenario.net / . 

13 Wayne Crews, Testimony Before the Senate Committee on Commerce, July 9, 2008, avail- 
able at http: / / cei.org/sites / default / files / Wayne%20Crews%20-%20Senate%20Commerce%20Test 
imony%20-%200nline%20Advertising, %20July%209%202008.pdf. 

14 Berin Szoka, Testimony Before the House Energy & Commerce Committee, Subcommittee 
on Commerce, Manufacturing, and Trade, “Balancing Privacy and Innovation: Does the Presi- 
dent’s Proposal Tip the Scale?”, Mar. 29, 2012, available at http://techfreedom.org/sites/de- 
fault! files / Szoka%20Privacy%20Testimony%20to%20CMT%203. 29. 12%20v3%20(final) 0.pdf. 



34 


for the FTC to build a an office of information technology five years ago , 15 our lay- 
ered privacy approach would today be far more effective in protecting consumers 
and ensuring their trust, and less easily dismissed as inadequate by foreign privacy 
regulators. Chairman Leibowitz deserves credit for appointing the agency’s first 
Chief Technologist. But even with someone as talented as Ed Felten in that posi- 
tion, the FTC is still way behind the curve: His title is not Chief Technology Officer 
because there is no office behind him. 

The FTC needs a clear strategic plan outlining (a) how to build the in-house tech- 
nical expertise it needs (beyond basic IT infrastructure) to identify enforcement ac- 
tions, support successful litigation, monitor compliance, and conduct long-term plan- 
ning and policy work, and (b) the resources necessary to achieve that goal through 
a combination of re-prioritizing current agency spending and additional appropria- 
tions. Importantly, this organization should function as a cohesive team that meets 
the needs for technical expertise of all the FTC’s bureaus and offices (including the 
Bureau of Competition). A stand-alone organization could, like the Bureau of Eco- 
nomics, better attract and retain talent. 

Second, the clearer privacy promises are, the more easily the FTC will be able 
to enforce them. One important way to achieve this goal would be for the FTC to 
promote the use of “smart disclosure” — the term used by Cass Sunstein, director of 
the Office of Information and Regulatory Affairs and a close advisor to President 
Obama, and a widely respected thinker in law, policy and technology. Smart disclo- 
sure can empower consumers by letting software do the work for them of reading 
privacy policies — and then implement their privacy preferences. 

For example, users could subscribe to the privacy recommendations of, say, Con- 
sumer Reports, or any privacy advocacy group, which in turn could set their phone 
to warn them if they install an app that does not meet the privacy practices those 
trusted third parties deem adequate. Or, more simply, such a system could work for 
communicating whether a site, service or app acedes to a particular self-regulatory 
code of conduct — and phone privacy controls could be set by default to provide spe- 
cial notices when users attempt to install apps that do not certify compliance with 
self-regulatory codes of conduct. As the FTC Privacy Report notes, smart disclosure 
could also “give consumers the ability to compare privacy practices among different 
companies .” 16 An app store might illustrate how such comparisons could work, al- 
lowing users trying to choose between several competing apps to compare their pri- 
vacy practices side by side. 

While it would be preferable for smart disclosure to arise through self-regulation, 
especially given the complexity of crafting disclosure formats, mandating disclosure 
of privacy practices would generally be a better way for government to address dem- 
onstrated market failures than by dictating what constitutes fair information prac- 
tices — and thus might be an appropriate area for Congress to explore legislation at 
some point. 

Third, the proper measure of the FTC’s effectiveness is not how many suits it suc- 
cessfully settles, but how well it contributes to the development of a quasi-common 
law of privacy that can guide companies pushing the envelope with new data-driven 
technologies — without stifling innovation that ultimately serves consumers. The 
chief problem today is that companies have only FTC complaints and consent de- 
crees to guide in predicting the course of the law. These documents offer very little 
explanation of how the facts of a particular case satisfy the FTC’s Policy Statements 
on unfairness and deception. And these summary assertions are never tested in 
court, both because of the cost of litigation relative to settlement, and because of 
the cost to a defendant company of bad publicity from being perceived as anti-pri- 
vacy exceed the benefits of taking the FTC to court — even when they would likely 
prevail given the FTC’s overreach. While this should reassure us that reputation 
markets exert far greater pressure to discipline companies on privacy than is com- 
monly appreciated, it also means that we lack the key ingredient for building a true 
common law: judicial scrutiny in an adversarial process. 

The forces that keep privacy adjudication out of the courts and prevent develop- 
ment of privacy common law by judges are not likely to be easily overcome by 
FTC — or even Congressional — action. So we need to find alternative ways to rep- 
licate the adversarial process of careful analysis by which courts build upon simple 
rules to address the challenges of a complex world. I suggest the following six pos- 


15 Peter Swire, Funding the FTC: Globalization and New Information Technologies Necessitate 
an Appropriations Boost, Feb. 26, 2007, http:/ / www.americanprogress.org / issues / 2007 / 02 / 
ftc.html. 

16 Federal Trade Commission, Protecting Consumer Privacy in an Era of Rapid Change: Rec- 
ommendations for Businesses and Policymakers 62 (“FTC Report”), http: / lwww.ftc.gov / os / 
2012 1031 120326privacyreport.pdf 



35 


sible ways for the FTC to make better use of its existing authority to build a quasi 
common law: 

1. The Commission (or individual Commissioners) should provide greater analysis 
of its rationale under its Unfairness and Deception Policy Statements for 
issuing each consent decree. 

2. The FTC should, when it closes an investigation by deciding not to bring a 
complaint, issue a “no action” letter explaining why it decided the practice at 
issue was lawful under Section V. 17 Such letters, issued by other agencies like 
the Securities and Exchange Commission, provide an invaluable source of guid- 
ance to innovators. Congress should even consider whether the FTC should be 
required to issue such letters. 

3. The FTC should consider how it could use advisory opinions more effectively 
to provide guidance to industry on how the agency might evaluate new privacy 
practices — especially for companies working on the cutting edge of technology, 
which are often small. The FTC issues such letters on a wide range of topics, 18 
yet does not appear to have issued advisory opinions regarding the application 
of Section V to privacy. 

4. Congress should reassert the vital oversight it exercised in 1980 and 1983 
when it ordered the agency to issue the Policy Statements on Unfairness and 
Deception. At a minimum, the FTC should be required to explain, in detailed 
analysis, how it has applied those venerable standards in past privacy enforce- 
ment cases, and how it plans to do so in the future — again, because it is “easier 
to learn from history than it is to learn from the future.” 19 Such guidelines 
are routine in other areas, and provided for in the Commission’s current proce- 
dures. 20 Indeed, the antitrust guidelines issued by the FTC and DOJ form a 
key element of the American common law of competition. The FTC has issued 
a number of Guides 21 to explain its approach to consumer protection — but 
none for consumer privacy. 22 The FTC’s recently issued privacy report is no 
substitute for such a Guide — indeed, it has little grounding in the twin Policy 
Statements that are supposed to be the FTC’s lodestars. To replicate some of 
the adversarial nature of actual litigation, the process must be the result of 
a substantive dialogue with affected stakeholders, and it must be subject to in- 
volved oversight from the full Commission and from Congress. 

5. In particular, the FTC must clarify the boundaries of privacy harm under the 
Unfairness Doctrine. The FTC’s leadership seems to to be trying to have it both 
ways: playing down publicly what they can do with their existing legal author- 
ity (to support their argument for new statutory authority) while, at the same 
time, making bold claims about the scope of harm in their enforcement actions. 
If the concept of harm is stretched too far, the Unfairness Doctrine will become 
again, as it was in the 1970s, a blank check for the FTC to become a second 
national legislature. 23 I explain my concerns about the potential for the unfair- 
ness doctrine to be abused, but also my belief that the doctrine should be used 
to the greatest extent degree with the 1980 Policy Statement, in my March tes- 
timony before the House Energy & Commerce Committee. 24 


17 See, e.g., Jodie Bernstein, Re: Petition Requesting Investigation of, and Enforcement Action 
Against SpectraCom, Inc., http://www.ftc.gov/os/1997/07/cenmed.htm. 

18 16 C.F.R §1.1 (2012) (“Any person, partnership, or corporation may request advice from the 
Commission with respect to a course of action which the requesting party proposes to pursue. 
The Commission will consider such requests for advice and inform the requesting party of the 
Commission’s views, where practicable, under the following circumstances . . . (1) The matter 
involves a substantial or novel question of fact or law and there is no clear Commission or court 
precedent; or (2) The subject matter of the request and consequent publication of Commission 
advice is of significant public interest.”); see also Judith A. Moreland, Overview of the Advisory 
Opinion Process at the Federal Trade Commission, available at htt.p: // www.ftc.gov /be / 
speech2.shtm. 

19 See supra note 9. 

20 Federal Trade Comrn’n, FTC Operating Manual §8, available at http://www.ftc.gov/foia/ 
ch08industryguidance.pdf. 

21 Federal Trade Comm’n, FTC Bureau of Consumer Protection — Resources: Guidance Docu- 
ments, http:/ / ftc.gov / hep / menus / resources / guidance. shtm (last visited June 26, 2012). 

22 Federal Trade Comm’n, Legal Resources/BCP Business Center, http://business.ftc.gov/ 
legal-resources / 48 / 33 (last visited June 26, 2012). 

23 See generally, Howard Beales, III, The FTC's Use of Unfairness Authority: Its Rise, Fall, 
and Resurrection, § III, http://www.ftc.gov/speeches/beales/unfair0603.shtm [hereinafter Beales 
Paper]). 

24 See Szoka, supra at 15. 



36 


6. Congress should ensure the FTC has the resources adequate to engage in this 
detailed analysis. To dismiss the current legal model as inadequate simply be- 
cause it has not been fully utilized, and to adopt instead a new legislative 
framework whose true costs are unknown, would be truly “penny wise, pound 
foolish.” Given the clear need to reduce Federal spending across the board, and 
the decidedly mixed record of antitrust law in actually serving consumers, Con- 
gress could simply reallocate funding from the FTC’s Bureau of Competition — 
or, more dramatically, consolidate antitrust enforcement at the DOJ and allo- 
cate the cost savings from streamlining to the FTC’s Bureau of Consumer Pro- 
tection. 25 

If Congress wants to improve upon the American layered approach to privacy, 
these suggestions offer concrete steps that could be taken today. Just as Silicon Val- 
ley’s motto is “Iterate, iterate, iterate,” the same approach is needed for improving 
our existing framework. 

Only by using the current framework to its fullest capacity will we actually know 
if there are real gaps the FTC cannot address using its existing authority. In par- 
ticular, the process of issuing guidelines could identify problems as candidates for 
appropriately narrow legislation that could build on top of the current baseline as 
part of an effective layered approach — or for self-regulatory processes akin to those 
called for by the NTIA. If there are some forms of harm that require government 
intervention but that cannot fit within an appropriately limited conception of harm 
under unfairness, it may be better for Congress to address these through carefully 
tailored legislation, rather than shoehorning them into unfairness. For example, 
such legislation might be appropriate to prevent employers from pressuring employ- 
ees into sharing their passwords to Facebook and other social networking sites. 

V. The DAA: A Self-Regulatory Success Story 

The Digital Advertising Alliance has demonstrated how self-regulation can evolve 
to provide “the flexibility, speed, and decentralization necessary to address Internet 
policy challenges” — not perfectly, but better than government. Since my fellow wit- 
ness Bob Liodice, is representing the DAA today, let me just highlight four areas 
in which I think DAA has demonstrated the value of self-regulation beyond its addi- 
tional principles: 

• Transparency: In April 2010, the industry began including an icon inside tar- 
geted ads to raise awareness of the practice and offer consumers an easy opt- 
out from tailored advertising. That icon is now shown in over a trillion ad im- 
pressions each month. 

• Education: Last January, DAA launched an unprecedented public awareness 
campaign called “Your AdChoices” to further increase public awareness of the 
AdChoices Icon, and consumers’ ability to opt-out. 

• Evolving commitments: In November 2011, the DAA updated its principles to 
bar data collected for advertising purposes from being used for employment, 
credit, health care treatment, or insurance eligibility decisions. 26 

• Enforcement: The Better Business Bureau, which administers enforcement of 
the DAA principles, and has done so for other self-regulatory programs since 
1971, has brought a number of enforcement actions, 27 demonstrating that it is 
far from toothless. 

• Do Not Track: In February, the DAA committed 28 to respect Do Not Track 
(DNT) headers sent by browsers when users visit websites as a (potentially) 
more consumer-friendly way of implementing DAA’s existing privacy opt-out. 

VI. Concerns about Self-Regulatory Processes 

The DAA is a good example of self-regulation evolving. But not all self-regulation 
is created equal. I have previously outlined my concerns about the self-regulatory 
process the NTIA has proposed to facilitate. 29 Chief among those concerns was the 


25 See William E. Kovacic, The Institutions of Antitrust Law: How Structure Shapes Sub- 
stance, 110 Mich. L. Rev. 1019, 1034 (2012) (identifying several problems with Federal duality 
of antitrust jurisdiction). 

26 Digital Advertising Alliance, Self-Regulatory Principles for Multi-Site Data, Nov. 2011, 
http .7 / www.aboutads.info / resource / download / Multi-Site-Data-Principles.pdf 

27 See Better Business Bureau, Case Decisions, http://www.bbb.org/us/interest-based-adver- 
tising / decisions / (last visited June 26, 2012). 

28 Digital Advertising Alliance, DAA Position on Browser Based Choice Mechanism, Feb. 22, 

2012, http:/ / www.aboutads.info / resource / download / DAA Commitment.pdf 

29 Berin Szoka, Comments to the National Telecommunications and Information Administra- 
tion on the Multistakeholder Process to Develop Consumer Data Privacy Codes of Conduct, 



37 


role government play in steering the process through the exercise of “soft power.” 
My participation in the World Wide Web Consortium (W3C) process as an invited 
expert (for the last six weeks) has increased that concern dramatically, given the 
looming presence of the FTC, and to a lesser extent, European governments, behind 
that process. In particular, I fear that an artificial deadline imposed by the FTC and 
other global regulators may shape the outcome of the process in ways that prove 
counter-productive. 

More generally, despite my general skepticism of antitrust and belief that market 
power is best combated with market power, my experience with W3C has made me 
appreciate better the concerns raised by FCC Commissioner Tom Rosch about ma- 
nipulation of the self-regulatory process by powerful players — especially where mar- 
ket power is essentially piggybacking on the soft power of government. In his dis- 
sent from the FTC’s 2012 privacy report, Rosch asked: “the major browser firms’ in- 
terest in developing Do Not Track mechanisms begs the question of whether and 
to what extent those major browser firms will act strategically and opportunistically 
(to use privacy to protect their own entrenched interests).” 30 And in his concurrence 
to the draft version of that report released in December 2010, Rosch noted: “the self- 
regulation that is championed in this area may constitute a way for a powerful, 
well-entrenched competitor to raise the bar so as to create an entry barrier to a rival 
that may constrain the exercise of undue power.” 31 

These concerns about power are heightened by concerns about process. The W3C 
is highly respected as a standard-setting body, but it is not a policy-making body. 
Its first and only other policy-heavy process — to produce the Protocol for Privacy 
Preferences (P3P), a laudable but highly complex form of smart disclosure — was 
roundly criticized and never achieved widespread adoption. 

Many key players are simply not represented — most notably the publishers, 
smaller advertising companies and data processors. All of these have a great deal 
to lose and could be put out of business, or forced to consolidate with larger players, 
in a Default DNT-On world. In large part, this reflects the high cost of participation, 
not just in terms of W3C membership, 32 but in terms of committing at least one 
person to engage in the weekly teleconference, the deluge of e-mails on the discus- 
sion list and the face-to-face meetings, which run 2.5 days. 

It is also possible that the W3C Tracking Protection Working Group, while com- 
posed of talented, well-meaning and dedicated people, may simply not reflect the 
right mix of backgrounds, even among the companies represented. Significantly 
under-represented are those who could speak with authority to the real world trade- 
offs inherent in the many complicated decisions being made by the group — not 
enough business experts, no economists, and too many privacy advocates full of good 
intentions but lacking in real-world grounding. The stakes could scarcely be higher, 
with regulator standing ready to implement the outcome of the process, regardless 
of whether it is well-suited to the problems at hand. 

Further, the process has proven highly unwieldy, given the large number of peo- 
ple involved and the large policy implications of the questions being debated — which 
were amplified considerably by Microsoft’s decision to switch to Default DNT-On. 

Still, for all its flaws, it may prove — to paraphrase Winston Churchill on democ- 
racy — that the W3C process is the worst possible process — except for all the others. 
Certainly, it is a better option than having the FTC design a DNT mechanism on 
its own, as has been proposed in pending legislation. 33 

I explain all these concerns in more detail below. 

VII. The Dangers of Default DNT-On 

Default DNT-On is supposed to empower users but in fact, it simply empowers 
browser makers to force a fundamental change in the Internet ecosystem, from to- 


April 2, 2012, http://techfreedom.org/sites/default/files/Comments%20to%20NTIA%20on%20 
Self-Regulatory%20Process%204.2. 12.pdf. 

30 Dissenting Statement of Commissioner J. Thomas Rosch, Issuance of Federal Trade Com- 
mission Report, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for 
Businesses and Policymakers, Mar. 26, 2012, at 6, available at http:/ lwww.ftc.gov / speeches/ 
rosch/ 120326privacyreport.pdf. 

31 Concurring Statement of Commissioner J. Thomas Rosch, Issuance of Preliminary FTC 
Staff Report, Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework 
for Businesses and Policymakers, Dec. 1, 2010, at E-3, available at http: / / www.ftc.gov / os / 
201 0/12/1 01201privacyreport.pdf. 

32 A U.S. company with over $50 million in annual revenue must pay $68, 500/year, while 
smaller companies must pay $7900, and startups with fewer than ten employees and $3 million 
in annual revenue pay $2250. W3C, Membership Fees, http:/ / www.w3.org / Consortium / 
fees?country=United+States&quarter=04-01&year=2012#results (last visited June 26, 2012). 

33 H.R. 654, Do Not Track Me Online Act, available at http:/ j hdl.loc.gov / loc.uscongress / legis- 
lation. 1 12hr654. 



38 


day’s low-friction, flat ecosystem of independent sites and services funded by imper- 
sonal data collection to one with fewer players who collect more data — ”opt-in 
dystopias.” 

Since last September, the W3C has been developing a technical standard for Do 
Not Track (DNT) headers that would “allow a user to express their personal pref- 
erence regarding cross-site tracking.” The W3C process was based on the idea that 
the DNT mechanism “must reflect the user’s preference.” Similarly, the DAA com- 
mitment was premised on the idea that the user has “affirmatively chosen to exer- 
cise a uniform choice with the browser based tool.” 34 Simply put, users, not brows- 
ers, should choose to opt-out of the data collection that creates so much value for 
consumers. 

Microsoft breached this consensus on user choice when it announced last month 
that its new IE 10 browser would send DNT:1 headers by default. This risks derail- 
ing the entire W3C process. Just the day before Microsoft’s announcement, at the 
weekly W3C teleconference, privacy researcher Lauren Gelman attempted to allay 
industry concerns that the spec might go too far by saying: “realistically, majority 
default DNT is not the world this standard will exist in. DNT is going to be a 10 
percent solution” 35 — a view overwhelmingly shared by participants. 

While Microsoft’s stated commitment to user empowerment is laudable, Default 
DNT-On doesn’t empower users any more than turning on ad blocking by default 
would. Anyone who cares can quite easily choose to make that choice. Below a cer- 
tain threshold of DNT adoption, few sites will find it worthwhile to charge, block 
or negotiate with those privacy-sensitive users who turn on DNT. But no-cost opt- 
outs and implicit quid pro quos don’t scale: beyond a certain point, sites will have 
to make quid pro quos explicit to gain opt-ins (technically, exceptions to DNT). In 
other words, a significantly higher DNT adoption rate will take us past a tipping 
point to an opt-in world. 

Some downplay the significance of this change, arguing that Default DNT-On will 
simply force negotiations between sites and users over granting exceptions 36 — a key 
part of the DNT spec. But as I explained in my comments on the draft FTC privacy 
report in February 2011, such negotiations are not costless; they introduce consider- 
able transactions costs (“friction”) into an ecosystem that currently works because 
it generated tiny amounts of value from enormous volumes of transactions. Eco- 
nomic theory suggests that forcing today’s implicit quid pro quo to become explicit 
(by switching to DNT Default-On) could produce dramatically different outcomes. As 
I explained: 

Much as I enjoy the rich irony of seeing those who are rarely thought of as free- 
marketeers essentially asserting that “markets” will simply, and quickly, “figure 
it out,” I am less sanguine. The hallmark of a true free-marketeer is not a belief 
that markets work perfectly; indeed, it is precisely the opposite: an under- 
standing that “failure” occurs all the time, but that government failure is gen- 
erally worse, in terms of its full consequences, than “market” failure. 37 

The first part of that lesson comes especially from the work of the economist Ron- 
ald Coase. . . who won his Nobel Prize for explaining that the way property rights 
are allocated and markets are structured determines the outcome of marketplace 
transactions. 38 For example, a rule that farmers bear the cost of stopping rancher’s 
cattle from grazing on their farms by constructing fences will produce different out- 
comes — not merely different allocations of costs — from the opposite rule. 

Coase’s key insight was that, in a perfectly efficient market, the outcome would 
not depend upon such rules: To put this in terms of the privacy debate, the choice 
between, say, an opt-out rule and an opt-in rule for the collection or use of a par- 
ticular kind of data (essentially a property right) would have no consequence be- 
cause the parties to the transaction (say, website users and website owners) would 
express their “true” preferences perfectly, effortlessly and costlessly. But, of course, 
such frictionless nirvanas do not exist. The real world is defined by what Coase 


34 Digital Advertising Alliance, supra note 27. 

35 See Lauren Gelman, “Re: tracking-ISSUE— 150: DNT conflicts from multiple user agents 
[Tracking Definitions and Compliance]”, public-tracking@w3.org mailing list, May 30, 2012, 
http: / / lists, w3.org I Archives /Public / public-tracking / 2012May / 0341.html. 

36 Jonathan Mayer, “Do Not Track Is No Threat to Ad-Supported Businesses,” Jan. 20, 2011, 
http:/ / cyberlaw.stanford.edu / node / 6592. 

37 Comments of Berin Szoka, on “Protecting Consumer Privacy in an Era of Rapid Change: 
A Proposed Framework for Businesses and Policymakers, A Preliminary FTC Staff Report of 
the Bureau of Consumer Protection, Federal Trade Commission, February 18, 2011, http: / / 
techfreedom.org / sites / default / files / TechFreedom%20FTC%20filing%202011-02-18.pdf '. 

38 Ronald A. Coase, The Problem of Social Cost, 3 J.L. & Econ. 1 (1960). 



39 


called “transactions costs”: search and information costs, bargaining and decision 
costs, policing and enforcement costs. 

The transaction costs of implementing a “Do Not Track” mechanism above an ac- 
ceptable loss threshold of adoption — where sites must create architectures of nego- 
tiation — are considerable: someone must design interfaces that make it clear to the 
user what their choice means, the user must consume that information and make 
a choice about tracking, websites must decide how to respond to various possible 
choices and be able to respond to users in various ways through an interface that 
is intelligible to users, and so on — all for what might seem like a “simple” negotia- 
tion to take place. 

These problems are certainly not insurmountable — and, again, with the right en- 
gineering and thoughtful user interface design a “Do Not Track” mechanism could 
well prove a useful tool for expressing user choice. But when we look at the world 
through Coase’s eyes, we begin to understand how mechanism design can radically 
alter outcomes (in this case, funding for websites). 

Put simply, Default DNT-On could take us from a world in which users can freely 
browse content and services offered by a thriving ecosystem of publishers to a bor- 
dered Internet. Users will either have to pay or opt-in to tracking. In this worst- 
case opt-in “dystopia,” consumers could be made significantly worse off in three pri- 
mary ways. 

First, to the extent publishers have to rely on micropayments or subscriptions, 
their revenues will likely drop. Information goods have a marginal cost of zero, and 
therefore competition tends to drive their marginal cost to zero. Put more simply: 
unless you have a unique good protected by copyright, it’s hard to charge for it (and 
charging for many small transactions itself creates high transactions costs). Adver- 
tising has always solved this problem by monetizing attention, but advertising on- 
line is worth three or more times more when it is tailored to users’ interests . 39 
Many sites that rely on this revenue will simply disappear, or be consolidated into 
larger media companies. Consumers will have fewer, poorer choices. 

Second, those sites and data companies that are able to obtain opt-ins will likely 
collect more data in ways that are more personal than today. While opt-ins sound 
great in theory, they simply do not protect privacy in the real world. As Betsy 
Masiello and Nicklas Lundblad explained in their seminal paper about “Opt-in 
Dystopias”: 

opt-in regimes . . . are invasive and costly for the user and can encourage serv- 
ice providers to minimise the number of times opt-in is requested. This can 
have at least two adverse effects. 

The first is that service providers may attempt to maximise data collection in 
every instance that they are forced to use an opt-in framework; once a user con- 
sents to data collection, why not collect as much as possible? And the increased 
transaction costs associated with opt-in will lead service providers to minimise 
the number of times they request opt-in consent. In combination these two be- 
haviours are likely to lead to an excessive scope for opt-in agreements. In turn, 
users will face more complex decisions as they decide whether or not to partici- 
pate. 40 

The DNT spec allows sites to negotiate with users to grant exceptions to DNT as 
an explicit quid pro quo for access to content or services. But this could rapidly be- 
come complex given the need for users to manage exceptions for multiple sites and 
services: 

As this happens we are likely to see demand rise for single identity systems. 

. . . It is possible that emerging social web services could comply by setting up 
the opt-in as a part of the account registration process, as discussed earlier. 
Users have an incentive to opt-in because they want to evaluate the service; 
after opting-in, a user is able to make an evaluation of the service, but by that 
point has already completed the negotiation. The service, having already ac- 
quired the mandatory opt-in consent, has no incentive to enable users to renego- 
tiate their choice. 

The data collection in this instance would all be tied to a central identity and 
would be likely to have excessive scope and deep use conditions. One unin- 
tended consequence of a mandatory opt-in regime might be the emergence of 


39 See, Howard Beales, The Value of Behavioral Targeting, March 2010, klip: / / 
www.netivorkadvertising.org / pdfs / Beales_NAI_Study.pdf 
40 N Lundblad and B Masiello, “Opt-in Dystopias”, (2010) 7:1 SCRIPTed 155, http:/ / 
www.law.ed.ac.uk/ahrc/scripted/vol7-l /lundblad. asp. 



40 


tethered identities, whereby a user’s identity is tightly coupled with a particular 
social platform or service. . . . 

From a privacy point of view, tethered identities present many challenges. The 
concept suggests that all behaviour is tied to a single entry in a database. The 
ease of executing an overly broad law enforcement request would be far greater 
than in a regime of fragmented and unauthenticated data collection. The degree 
of behaviour upon which an advertisement might be targeted would also be far 
greater. And the threat of exposure posed by a security breach would also in- 
crease. 

Third, few publishers and data-driven companies will be able to obtain opt-in ex- 
ceptions to DNT. This will force unprecedented consolidation in the Internet eco- 
system, both among publishers and among companies that use and process data for 
advertising, research and other purposes. As Masiello and Lundblad explain: 

A worst-case consequence of widespread opt-in models would be the 
balkanisation of the web. As already discussed, some degree of data collection 
is necessary to run many of today’s leading web services. Those that require ac- 
count registration, such as social web services, enjoy an easy mechanism for se- 
curing opt-in consent and would be likely to benefit disproportionately from a 
mandatory opt-in policy. 

If we believe that mandatory opt-in policies would disproportionately benefit au- 
thenticated services, we might also expect balkanisation of these services to 
occur. When information services are open and based on opt-out, there are in- 
centives to provide users the best experience possible or they will take their in- 
formation elsewhere. When these services are closed and based on opt-in, there 
are incentives to induce lock-in to prevent users from switching services. Users 
might be reluctant to leave a service they have evaluated and invested in; the 
more investment made the more likely a user is to stay with the current pro- 
vider. We might expect mobility to decrease, with negative effects for competi- 
tion and consumer value 

Simply put, Default DNT-On is likely to drive the adoption of federated content 
networks, and the evolution of highly decentralized websites and services towards 
an apps based model — such as on mobile phones and such as Microsoft is intro- 
ducing in Windows 8 — in which advertising is delivered by the app platform oper- 
ator. This might or might be a good thing on net, but again, the point is that no 
one really knows, even as we tumble blindly down this path. 

With the best of intentions, we are heading towards reshaping the fundamentals 
of the Internet — in ways that may have serious negative unintended consequences 
for privacy, the sites and services consumers enjoy, and the health of the ecosystem. 
But the way we’re doing it may be even more troubling. This is not the result of 
a bottom-up evolutionary process, but of collusion between government and powerful 
market players. In the name of self-regulation, we are essentially moving toward 
the European model of co-regulation: where governments steer and industry rows, 
and where powerful incumbents use market power to serve their own agendas, with 
the blessing of government. 

The Federal Trade Commission called for a Do Not Track mechanism in its draft 
privacy report, issued in December 2010. Chairman Leibowitz and David Vladeck, 
Director of the FTC’s Bureau of Consumer Protection, have taken credit for pres- 
suring industry to come to the table on DNT. 41 The agency has played an active 
role in the W3C process. FTC Chief Technologist Ed Felten opened day two of the 
most recent W3C meeting by telling participants what the FTC wanted. Chairman 
Leibowitz and Commissioner Julie Brill delivered keynote addresses at the two prior 
meetings. Commissioner Brill, in particular, has pushed the W3C process to change 
the nature of the DNT spec to limit not just how data can be used, but what data 
can be collected in the first place. Representatives Ed Markey and Joe Barton have 
gone even further, sending a letter to the W3C Tracking Protection Working Group 
during its last meeting urging not only heavy restrictions on collection, but also that 
DNT:1 be turned on default. 42 

The FTC has clearly been turning the screws on companies to agree to comply 
with DNT — even before a standard exists. The FTC showed its hand in Twitter’s 


41 Federal Trade Commission, FTC Testifies on Do Not Track Legislation, Dec. 2, 2010, 
http: / / www.ftc.gov/opa 12010/ 12/ dnttestimony.shtm. 

42 Letter from Congressmen Edward J. Markey and Joe Barton to World Wide Web Consor- 
tium Tracking Protection Working Group, June 19, 2012, available at http:/ / markey. house. gov / 
sites / markeyJiouse.gov / files / documents / %206-19-12%20Letter%20from%20Rep%20Markey%20 
and%20Barton%20-%20W3C%20.pdf. 



41 


agreement to recognize DNT in May, 43 when FTC Chief Technologist Ed Felten an- 
nounced the deal himself even before Twitter could do so. Faced with the FTC’s 
open antitrust investigation, and the agency’s essentially unchecked ability to bring 
privacy complaints against the company, at a real cost to its reputation, it’s not 
hard to see why Twitter might be susceptible to . . . encouragement from the well- 
meaning folks at the FTC. 

So one has to wonder what role Chairman Leibowitz, and members of Congress 
like Representatives Barton and Markey, might have had in convincing Microsoft 
to break ranks from the W3C process — even if that risked derailing the process 
itself. 

This is, of course, speculative — but not without any basis. At the very least, Con- 
gress should ask the FTC to explain exactly what its role has been throughout this 
process. Further, Congress should call on the agency’s leadership to repudiate the 
disturbing argument made by Tim Wu in defense of “agency threats” as a valid form 
of extra-legal regulation. 

VIII. Conclusion 

There are no silver bullets. Neither self-regulation nor relying on Section V is 
without pitfalls. But together, and working in conjunction with market forces like 
reputation, with targeted legislative solutions, and with technological change itself, 
they form a layered approach to dealing with privacy that is more likely to protect 
us from true privacy harms without killing the goose that laid the golden egg. 

Senator Klobuchar. Thank you very much, Mr. Szoka. 

Thank you, all of you. 

And I just want to clarify something after listening to Mr. 
Szoka’s testimony, maybe with you, Mr. Liodice. 

The FTC isn’t actually regulating this right now. Is that correct? 
I mean, what is happening? Because it’s my impression that they 
are allowing the industry to engage in some of this self-regulation 
and put a policy forward. Could you give me your views on that? 

Mr. Liodice. Sure, yes. Thank you. 

We’ve had many collaborations with the FTC over the past few 
years. In fact, the FTC has essentially provided the information 
necessary as to certain directions that we have needed to head in. 

So it has been an ongoing collaboration with the FTC. And our 
self-regulatory mechanisms have evolved appropriately with the 
encouragement of the FTC. 

There admittedly had been times where there has been dis- 
satisfaction. And through their encouragement, we continue to 
press on, build the technologies, and to complete the system to the 
current capability that we currently have. 

Senator Klobuchar. OK. And I understand that some in the on- 
line advertising and technology industry, particularly those who 
have been negotiating at the WC3, believe that industry self-regu- 
lation is possible and that the industry can coalesce around an opt- 
in regime. What do you think the chances are of stakeholders com- 
ing together without congressional or FTC action to develop an opt- 
in regime? 

Mr. Liodice. To develop an opt-in regime we think is against the 
interest of commerce. We believe that the current opt-out philos- 
ophy that we are currently structured around and succeeding with 
is the right way to go. 

We have demonstrated that the industry can come together. We 
represent a consortium of 5,000 corporations with many different 
interests, with many different focal points. And to be able to bring 


43 Michelle Maltais, “Twitter supports ‘do not track’”, Los Angeles Times, May 17, 2012, avail- 
able at http : / / articles.latimes.com / 2012 / may 1 17 1 business / la-fi-tn-twitter-do-not-track-2012 
0517. 



42 


that level of the business community together to create a system 
that, in fact, is working, not only for business but, most impor- 
tantly, for consumers, is something that this industry is extraor- 
dinarily proud of. 

Senator Klobuchar. Mr. Fowler, both the FTC and the White 
House reports mention the possibility of privacy practice becoming 
a consideration actually for consumers deciding between devices 
and services. And I think that the Microsoft announcement and 
other things would demonstrate that. 

Have you seen significant data suggesting consumers already 
choose services, particularly online, based on privacy practices? 

Mr. Fowler. I think there is a lot of data that shows that con- 
sumers do make decisions based on data practices. I think within 
our own user base, we are just in the process of completing an 
analysis of a survey that we did, where we had 10,000 of our users 
provide input on what they thought about “do not track” and pri- 
vacy and the types of tools that are available to them. 

And what we found was very interesting. And we will be happy 
to share the results of that analysis once we’ve done our write-up. 

But consumers do take privacy seriously. And they do feel that 
this is an important consideration for them as they browse the 
Internet, as they use services and applications. 

And we found in the context of “do not track” that service pro- 
viders, browsers, software manufacturers that provide “do not 
track” features actually lead to greater trust by the consumers who 
use it. 

Senator Klobuchar. Very good. 

Privacy policies are important, but I think we all know that con- 
sumers don’t necessarily read them all. What efforts are being 
made to make them more accessible and easier to understand? 

Maybe, Mr. Swire, you’d like to answer this as well? 

Mr. Swire. Well, so privacy policies have another purpose be- 
sides the consumers, which is it lays out for all the employees, it 
lays out for the enforcers, it lays out for the rest of the world, what 
the privacy rules are going to be. And they also become the basis 
for how the Federal Trade Commission and the State AGs can step 
in if they’re breaking their promises. 

The financial regulators had a good process to come up with a 
standard simplified privacy notice for Gramm-Leach-Bliley, much 
more like the kind of thing you see on the side of a soup can. And 
I think trying to find ways to have more standardized notices is 
something that everyone really supports. 

Senator Klobuchar. What about considerations for mobile de- 
vices that collect data, like smart phones and tablets? 

Mr. Swire. Well, you know, it’s limited real estate on the smart 
phone. And I think that for mobile apps, people are really strug- 
gling with how to somehow convey it. Maybe over time we’ll see 
icons used a lot more. Maybe there will be video notice — I mean, 
audio notices. But I think that’s really something that needs a lot 
more work. 

And they’re talking about mobile privacy as part of the mobile 
stakeholder process. We need more progress there. 

Mr. Liodice. If I may add to that, Senator? 



43 


We are moving very aggressively to adapt or identify principles 
for mobile. We clearly will need this in the future. We need it now. 
And so we’re moving aggressively to ensure that the principles that 
we’ve established for the Internet will extend to the mobile world 
and ensure that we have absolute enforcement mechanisms in the 
same way that we currently have in the Internet self-regulatory 
sphere. 

Senator Klobuchar. So you would find some way to extend the 
opt-out principles and give the same options to those that have the 
small screens, such as tablets or smart phones 

Mr. Liodice. Absolutely. Absolutely. 

Senator Klobuchar. — as they have on a typical computer? 

Mr. Liodice. There is no question that we’re heading in that di- 
rection. We have processes underway to make sure that that hap- 
pens. We will not rest until that does happen. 

Senator Klobuchar. OK. 

Could anyone fill me in on how that’s going to happen, just how 
you physically do that? 

Mr. Liodice. The technology? 

Senator Klobuchar. Yes. 

Mr. Liodice. We haven’t developed it at this point in time, but 
we have developed a group that is examining this in a real-time 
basis. 

The first step, as we did in the self-regulatory process that was 
established, is to ensure that the principles are appropriately con- 
structed to meet the mobile platform, which is somewhat different 
than the current Internet digital platform. 

Once those principles are established, we will leverage our tech- 
nology partners that we’ve used to create the current monitoring, 
reporting, and accountability systems that will be moving into the 
unit that is eventually monitored by the Council of Better Business 
Bureaus. 

Senator Klobuchar. One last thing, Mr. Swire, and then I’m 
going to turn it over to Senate Ayotte. 

Mr. Swire. So it does show on the mobile how hard it would be 
to opt out of every single company that maybe places an ad. It’s 
just an awful lot of thumb work. 

And having a more simple one way to do it, “do not track” or 
other expression of preference, becomes even more important, I 
think, in the mobile space. 

Senator Klobuchar. Thank you very much. 

Senator Ayotte, and then we’re going to Chairman Rockefeller, 
and then Senator Thune. 

Senator Ayotte. Thank you, Senator Klobuchar. 

I wanted to ask Mr. Liodice, and I would like to hear all of your 
comments on this, certainly, in other contexts before this com- 
mittee, I have expressed concern about how the FTC interprets its 
authority under Section V. That said, one thing I would like to 
hear from each of you on is, can you give me an example of a harm 
that has taken place regarding privacy that can’t be adequately ad- 
dressed by Section V by the FTC? 

And how do you view the current law under Section V, in terms 
of using that as a mechanism of regulation, rather than creating 
all new legislation here? 



44 


So can you help me on that? 

Mr. Liodice. Sure. 

Senator Ayotte. What is it that Section V isn’t protecting now? 

Mr. Szoka. May I jump in, Senator? 

Senator Ayotte. Sure. 

Mr. Szoka. First of all, thank you for your question. This does 
not get enough attention. 

The entire debate, as I emphasize in my testimony, goes on as 
if we don’t already have baseline consumer protection. And as I 
argue, the trick here is using Section V to its fullest extent and not 
beyond that. 

And the problem, if I may say today, as you’ll see if you look at 
any sort of privacy textbook, is, ultimately, you can look at what 
the FTC has done. You come up with what my colleague Charlie 
Kennedy summarizes as saying the list of “dos and don’ts” tell us 
which practices the FTC has challenged in the past, but does not 
provide a way of identifying those practices that might be chal- 
lenged in the future. To me, that’s the central problem. 

Right now, the problem is not doctrine. It is the fact that the 
FTC is never challenged in court. And because of that, there are 
no courts to develop doctrine, and it falls ultimately upon the agen- 
cy itself to explain its analysis to guide us. And that is precisely 
what I describe in my testimony as quasi-common law. 

Now, to answer your question, I think there are cases that 
couldn’t be dealt with adequately by unfairness, or at least that 
would stretch unfairness too far. 

And just to give you one example, there’s talk right now on the 
Hill of passing legislation that would bar employers from insisting 
that their employees give them their passwords to their Facebook 
accounts. I think that’s the sort of thing that could actually make 
a good target for narrow legislation, something I would encourage 
this committee to look into. 

I’m not saying that everything can or should be shoehorned into 
the unfairness doctrine, but I think unfairness can actually be used 
to do more today than it is being used without turning unfairness 
into what it was in the 1970s, which essentially was a blank check 
for the FTC to become a second national legislature. 

Senator Ayotte. Do other members of the panel have comments 
on that? 

And certainly, Mr. Szoka, that’s an issue that I’ve been con- 
cerned about in the past, of a blanket view of Section V. 

Mr. Swire. Well, the simple point is, if it’s not in the privacy pol- 
icy, there’s no deception claim. So a company says, “A, B, and C,” 
and it leaves out the rest of the alphabet. They can do anything 
with the rest of the alphabet. 

And there’s no Administrative Procedure Act rulemaking author- 
ity in this area, so there’s not a chance to get public comments and 
to have on the record an idea of what the rule should be or not be. 

In the absence of that, the FTC, without rulemaking authority, 
has to go case-by-case, and they have no help on the rest of the al- 
phabet after A, B, and C, if that’s all the privacy policy says. 

Mr. Fowler. And if I could just build on that a little bit. I mean, 
we have a Ford Foundation grant that is a research project looking 
at first- and third-party tracking online. 



45 


The project includes a special add-on for Firefox browser called 
Collusion. I would encourage you to check out by going to 
www.mozilla.org / collusion. You or your staff can install it and look 
at your own webpages to see what kinds of tracking practices are 
in place. 

And what we’ve found, without fail, is that a lot of organizations 
really don’t have a clear picture of the types of data practices that 
their sites and applications are engaged in. 

And so if you think about this question of Section V and what 
you’ve disclosed in your privacy policy, what we’re finding is that 
those privacy policies remain static for too long. They don’t reflect 
necessarily the day-to-day changes that happen in today’s dynamic 
webpage and application environment. 

Mr. Liodice. And if I may build on that, I had to check with 
counsel, since I’m not a lawyer, to ensure my understanding of it 
as well. 

Part of the beauty of what the self-regulatory mechanism pro- 
vides is the flexibility to be able to track case-by-case and to be 
able to link that up with the principles that our marketers have 
to ascribe to. And if, in fact, they deviate from that, our reporting 
mechanisms provide the identification to our accountability mecha- 
nisms and our self-enforcement mechanism. And if, in fact, those 
changes or those violations of those principles don’t occur, then we 
reference them back to the FTC. 

But with the system that we have, we are able to get at cases 
and violations of principles that may have escaped the FTC’s pur- 
view. 

Mr. Szoka. Senator, may I briefly add to that? 

Everyone here likes to diminish the importance of case-by-case 
rulemaking. And I would agree that case-by-case rulemaking 
doesn’t work if you don’t explain your analysis. And that is pre- 
cisely the world we live in today. 

All we have is consent decrees that are essentially bald asser- 
tions that a company has does something unfair or deceptive. It 
would be a very simple matter for the FTC to simply do more in 
its analysis to explain that. If they don’t have the resources, I, as 
somebody who believes in limited government and cutting spending 
probably more than anybody in this room, would be delighted to 
give them more funding to do that. 

It is pennywise, pound foolish to give up on the existing model 
simply because the FTC doesn’t have the time to explain to us 
what unfairness means. You could have a meaningful unfairness 
doctrine to deal with cases beyond what companies have promised 
if you simply did that. 

And I’ve laid out four ways the FTC could do that. And I think 
that would be the best thing that this Congress could do to help 
the agency reach its full potential. 

Senator Ayotte. My time has expired. Appreciate it. 

Senator Klobuchar. Thank you. Chairman Rockefeller. 

STATEMENT OF HON. JOHN D. ROCKEFELLER IV, 

U.S. SENATOR FROM WEST VIRGINIA 

The Chairman [presiding]. Thank you, Madam Chair. 



46 


This isn’t a question. Mr. Szoka, I have to admit a vast admira- 
tion for you. But I have a question at the end. 

You’re in love with the law. And I think you’re in love with your- 
self. You declare yourself the most conservative person in the room, 
and I certainly would not argue that. 

My question to you is, when you go through your complex legal 
machinations, for which I’m sure you’re very well paid, do you ever 
think about the effect on consumers? You have not used the word 
“consumer” once, “user” once. 

All you talk about is what works for corporations, what is unfair 
about FTC. 

It’s all about legal practices. There’s nothing about people. I’m 
just really curious. 

I’m not quite sure how you got on this panel, but you obviously 
slid by me. 

Mr. Szoka. Sir, I believe that the rule of law protects citizens. 
It is the bedrock of a free country, and that ultimately having 
agencies follow the law and work through legal means is something 
that protects consumers. 

I also have explained today that what I admire, what I am in 
love with, is the idea that we use the law in consumer protection, 
that we have legal doctrines that do precisely what you’re getting 
at, which is allow us to address real harm to consumers and weigh 
costs and benefits. That’s well-established doctrine. I didn’t make 
that up. The FTC did. 

The Chairman. Thank you. 

This is to Mr. Liodice and Mr. Swire. We had a May hearing, and 
I asked Chairman Leibowitz about the Digital Advertising Alli- 
ance’s new self-regulatory initiative. And you know, going back to 
automobiles and all kinds of things, self-regulation is a matter of 
interest to this committee, because if it doesn’t work, then we want 
to do something about it, at least some of us do. 

And the alliances pledged to address the “do not track” request 
from Web browsers. And he made it very clear, that’s Leibowitz, 
that if the alliance is going to honor a consumer’s “do not track” 
request in a meaningful way, they’ll have to stop collecting con- 
sumer information, period, except for some limited exceptions. 

And I’m going to get into those limited exceptions in this or the 
next question. 

In other words, what Leibowitz was saying was, it made it very 
clear that you had to do a “do not track,” and it should mean “do 
not collect” — do not collect, do not track. 

In other words, don’t start. Don’t get to the hundred different, 
you know, exercises of 5,000 different exercises with your thumbs 
that you have to do to get to what you want. 

How do you respond to that? 

Mr. Liodice. Mr. Chairman, the Internet operates on some col- 
lection of data. And if a consumer opts out of any kind of informa- 
tion-gathering, there are necessary exceptions in order to be able 
to ensure that fraud protection, crime prevention, other systems 
that currently operate on the Internet need to continue to ensure 
that those law enforcement capabilities continue to exist. 

The areas of exception that were noted in terms of market re- 
search are those that we had talked to the chairman about before. 



47 


And his staff and he believed that that was the right direction to 
go at that stage. 

The one thing that I can say about self-regulation 

The Chairman. However, I don’t think he — he said that these 
could be expanded almost to the point where the rule would be 
swallowed up. 

Mr. Liodice. Of course. 

The Chairman. In other words, the definition is so broad, so 
inexplicably wide, that anything could fit in. So that he liked the 
concept of it, but there was a large “but” 

Mr. Liodice. Right. 

The Chairman. — which you have not referred to. 

Mr. Liodice. We would agree that boundaries need to be placed 
in this arena, because consumers need boundaries in order to un- 
derstand exactly what their rights are, what their privileges are, 
and what their decisions need to be based upon. 

And that’s the reason why we’ve established the mechanisms for 
what we already are currently doing. If something is not working 
or not working as effectively, part of the word that I used before 
about our system is “evolutionary.” We’ve continued to evolve to ad- 
dress concerns from the very beginning of our development of the 
Digital Advertising Alliance self-regulatory system. 

For example, on multisite data and mobile, we are evolving, 
based upon the concerns that have been addressed by legislators or 
the FTC or others. 

The Chairman. But you would agree, would you not, that if 
Leibowitz’s side concern — and that is that these two phrases could 
be used to sort of swallow up the whole intent of the rule — that it’s 
better not to fiddle around with that? 

Mr. Liodice. No, what we would do is try to establish 

The Chairman. You would be 

Mr. Liodice. — boundaries. 

The Chairman. You’re at DAA 

Mr. Liodice. Yes. 

The Chairman. — with 5,000 people who you say represent all 
kinds of different interests. 

Mr. Liodice. That’s correct. 

The Chairman. You’ve corralled them, like cats. But at some 
point, don’t you, therefore, have to have something that says “do 
not track”? 

Mr. Liodice. No, I do not believe that that’s the case, sir. 

The Chairman. Why is that? Because that would put you out of 
business? 

Mr. Liodice. No. 

The Chairman. I’m being a little cynical, but I’m being serious. 

Mr. Liodice. No, I understand. Exactly. 

The key here is a question of how we approach limitations on 
that collection that is responsible, that addresses consumer inter- 
ests. And as I mentioned before, one of the core interests that we 
have, in terms of “do not track,” is cybersecurity. 

We cannot turn our backs on cybersecurity as an issue, because 
if, in fact, we do not track completely, and totally stop any type of 
information-gathering whatsoever, we run into serious problems in 
the way the Internet is managed. 



48 


The Chairman. I may want to explore that with you. My time 
is up. 

Thank you, Madam Chair. 

Senator Klobuchar [presiding]. Thank you. 

Senator Thune? 

STATEMENT OF HON. JOHN THUNE, 

U.S. SENATOR FROM SOUTH DAKOTA 

Senator Thune. Thank you, Madam Chair. 

And I want to thank our panelists today. I know I always wel- 
come different perspectives. And divergence of opinions is a good 
thing. I think that benefits all of us as we try to make good and 
informed decisions, so thank you all for being here today. 

Our most innovative companies of all kinds use data to improve 
their products, gain understanding of their customers, and make 
better and more informed decisionmaking. Data is behind all sorts 
of customization, innovation, that benefits consumers. 

There was a report commissioned by Interactive Advertising Bu- 
reau recently that concluded that the Internet accounted for 15 
percent of total U.S. GDP growth. And if the Internet were a na- 
tional economy, by 2016, it would rank as the fifth largest economy 
in the world. 

The advertisement-supported Internet contributes $300 billion to 
the U.S. economy and has created about 3 million American jobs. 
At a time when we have sustained grim economic news, it has re- 
mained a very bright spot in the U.S. economy, and that trend con- 
tinues. 

And my concern is that if we try to rush a quick fix on the issue 
of privacy, rather than very thoughtfully and carefully dealing with 
the issue, we could stifle the very important economic advantage 
that we have in the United States. 

My question is a fairly broad one, but I’d like to get your reaction 
to it. And that is, what are the risks if Congress adopts an overly 
restrictive European-type approach that stifles U.S. innovation? 

Mr. Liodice. If I may start, Senator Thune, that is, essentially, 
the core fear, that we lock in place what we currently have and not 
leave ourselves open to the evolution of technology. 

Creativity and innovation is the basis for the Internet. And we 
recognize that, as part of our self-regulatory principles, we have to 
allow enough room and flexibility to adopt to a changing economy 
and rapidly changing technologies. 

If we lock ourselves in place too rigidly, we may choke off the 
kind of innovation and creativity which is the basis for our dy- 
namic U.S. economy, which, in the end, may cost jobs here in the 
United States and around the world, if, in fact, we don’t have that 
flexible and open society. 

Mr. Szoka. Senator, while Senator Rockefeller might dislike my 
mentioning another law, let me mention the law of unintended con- 
sequences. And that is to say that what you are putting your finger 
on is that there are many competing values here for consumers. 

We can do things that seem to be good for privacy that, in fact, 
end up hurting privacy, that hurt other values. 

And as I explain in my written testimony, that fear is not only 
in the case of legislation such as you describe, but also in what 



49 


Congress and the FTC have been doing to push the “do not track” 
mechanism to be something other than what it was when it start- 
ed. 

In other words, as Senator Klobuchar suggested, if Congress sits 
here, and the FTC does, push it toward being an opt-in mechanism, 
you fundamentally change the nature of the Internet. 

“Do not track” was intended to be a solution for people who felt 
privacy sensitive, who were concerned about that, and wanted to 
make that tradeoff. 

Below a certain threshold, say 10 percent, that can be done for 
free. No one is going to bother changing mechanisms to negotiate 
with users. 

Above a certain threshold — and that’s where we’re heading now, 
given Microsoft’s decision — you start to put in place a dynamic that 
changes what we have today. You start to create, instead of today’s 
ecosystem where you browse the Internet, you go anywhere you 
want, and there are no pay walls, there are no pop-ups, you instead 
have a system of opt-in consent. 

And I think if you look at my testimony and if you look at the 
paper called “Opt-in Dystopias,” you see that, in fact, that’s a very 
bad world for consumers. It’s one in which there’s likely to be, iron- 
ically, more data collected. 

Even though we’re intending to reduce data collection, you could 
have more collected by fewer parties in a less transparent way, 
while at the same time making the entire ecosystem worse off. 

So, yes, I actually care very deeply about consumers. And I worry 
that we risk all of those things when either we pass legislation that 
is in the European model or we extort concessions from the private 
sector, as the FTC and others may be doing. They’re clearly pres- 
suring companies to do things that they never intended to do, and, 
as Mr. Liodice is saying, have those unintended consequences. 

Mr. Swire. Senator, last fall I testified in the House Energy and 
Commerce Committee on the European Union and U.S. and where 
jobs go. And my testimony concluded that a “we don’t care about 
privacy” approach, that if the U.S. says we’re not going to do it, 
that puts a lot of U.S. jobs and global leadership in this area at 
risk, because we get a risk being treated as locked out from a lot 
of markets around the world. 

India now has privacy rules on the book. Most of Asia does. All 
of Europe does. And if the U.S. is considered a non-player, we could 
have U.S. companies shut out of a lot of markets. So we have to 
face in an international trade setting the reality that if we have a 
pretty good, credible system here that we can live with, we’ll also 
have a much better export system. And we have to figure that into 
the mix. 

Mr. Fowler. If I could just add, as a global software organization 
with consumers around the world, including Europe, the reality for 
compliance, the reality for establishing trust, is that we have to ad- 
dress the privacy compliance jurisdictional requirements that exist 
wherever we do business. 

So while we’re not ready to say that we should have a European- 
style data protection regime in the U.S., we have one anyway, in 
the sense that we have to comply with that and respect those dif- 
ference from a legal and cultural perspective when we’re inter- 



50 


acting with European customers. And that’s true for all the leading 
Internet companies today. 

Senator Thune. I see my time has expired. 

Thanks, Mr. Chairman. 

The Chairman [presiding]. Thank you. 

Senator Ayotte? 

Senator Ayotte. I wanted to follow up briefly — thank you, Mr. 
Chairman — on this idea, Mr. Liodice, that you mentioned about 
cybersecurity concerns. And if you could describe more where you 
see those concerns arising, if we were to legislate on the “do not 
track” issue. 

Mr. Liodice. Sure. It starts with the fundamental fact that the 
Internet operates on collecting data. And in order to be able to le- 
verage the various components of our economy, of cybersecurity, of 
the effective management of the Internet, there needs to be appro- 
priate data collection. 

Now, the self-regulatory program that we’re talking about essen- 
tially provides choice for the limitation of data with respect to ad- 
vertising. But if we are not careful about how far that we extend 
the reach through legislation of limitations on data, there are law 
enforcement agencies that currently rely upon data that is collected 
currently over the Internet. 

If we block or limit that ability, the unintended consequences 
may be the inability to prosecute fraud or not have as robust 
cybersecurity protections as we have currently at this moment in 
time. 

So the point was that, if in fact legislation does come about, it 
needs to be done with great care to ensure that the data collection 
that currently exists for global opportunities, such as cybersecurity, 
fraud protection, et cetera, must be kept in place, if not become 
more robust. 

Senator Ayotte. As I hear it, and before I served in the Senate, 
I was a State attorney general, that you’re referring to areas, for 
example, of sexual predators, identity theft. Are these the areas 
that you’re — you know, when we think about — or are there other 
broader areas that you’re concerned that law enforcement wouldn’t 
be able to access data, because, obviously, in that regard 

Mr. Liodice. Right. 

Senator Ayotte. I mean, I’ve worked on those cases. I’ve worked 
with the police on those cases. I understand the type of information 
that is used to hold individuals accountable that are misusing the 
Internet to commit crimes. And, certainly, that would not be a good 
consequence, if we were to legislate in that area, so law enforce- 
ment couldn’t get access or that information wasn’t somehow re- 
tained. 

Mr. Swire? 

Mr. Swire. So this issue of cybersecurity and information-shar- 
ing has been a great big issue in the cybersecurity legislation that 
this committee and others have been working on. 

I had an op-ed in The Hill on this subject. And one of the con- 
cerns from the privacy side is that definitions are so broad of what 
counts as cybersecurity that this could be basically all clicks go to 
government. And some of the proposed language has even been, 



51 


notwithstanding all other laws, if it’s related to cybersecurity, it 
goes to the government. 

And I think that that’s a very broad potential idea of what 
counts as cybersecurity. And it raises issues about government ac- 
cess to data that are really quite substantial. 

Mr. Szoka. And if I may also respond to this, I’ve joined forces 
with groups on the left — the ACLU, the Electronic Frontier Foun- 
dation — raising those very concerns about such cybersecurity legis- 
lation. 

And once again, my concern is that the real harm here comes 
from government itself. And the way to deal with that is not to 
cripple law enforcement’s access, nor to give it every piece of infor- 
mation it wants. 

The solution, as is often the case here, is to ensure the rule of 
law, which is to say, we have the Fourth Amendment. We have a 
system for ensuring when government gets access to data, and we 
should respect that. Those are the values that, unfortunately, get 
left out of these conversations far too often. 

We far too often focus on companies as vehicles for collecting 
data, fearing the government will get access to it, while doing noth- 
ing at all to ensure that government gets access through constitu- 
tional procedures. 

Mr. Fowler. If I could just add, I think that before we get too 
far into this, I think it’s important to clarify that in the context of 
“do not track,” in behavioral advertising, we’re not talking about 
security. We’re talking about security of the data related to serving 
impressions, right? So it’s a different type of data. And the security 
exemptions that are being discussed by the W3C and the DAA are 
specific and narrow to that type of data. 

Senator Ayotte. One of the concerns that I worry about, regard- 
less of what your view is, whether to legislate or not to legislate 
in this area, is how we get it right, in the sense that, with the 
evolving technology. And as I said in my opening statement, as 
soon as we come up with something that we think solves the prob- 
lem with the evolving of the technology, you know, that’s what I 
worry so much about. That if we do it, certainly, if we legislate in 
this area, if we decide to legislate in this area, how do we get it 
right, so that it doesn’t impede our economy or also make it worse 
for consumers? 

Mr. Liodice. If I may comment on that? 

Senator Ayotte. Thank you, Mr. Chair. 

Mr. Liodice. I’m sorry. 

Senator Ayotte. I think my time is up, so I certainly don’t want 
to 

The Chairman. Go ahead. 

Senator Ayotte. I’m all set. Thank you. 

The Chairman. OK. Thank you very much. 

I just want to sort of declare the cybersecurity argument a total 
red herring. It has absolutely nothing to do with any of this. And 
the original cybersecurity bill, it was written by Olympia Snowe 
and myself and this committee. And that was 3 years ago. It’s been 
negotiated and on and on and on. 



52 


The FTC, there are exceptions made that cover any cyber security 
matters, so that any use of that as an argument against “do not 
track” or whatever else is just off the wall, from my point of view. 

Mr. Swire, your written testimony mentions a recent study of the 
100 most popular websites that was conducted by researchers at 
Berkeley. The study found that these websites are collecting an as- 
tounding amount of information about their customers. 

According to the researchers, 21 of the 100 top websites placed 
100 or more cookies — this gets right to you — on users’ computers. 
That means that when an individual visits one of those websites, 
100 or more different companies start to collect information about 
that person. Therefore, if you have to opt out, you have to do it 100 
times. Therefore, why not just “do not track.” 

Mr. Swire, do you believe that most consumers know how much 
information is being collected about them when they visit popular 
websites? 

Mr. Swire. We have survey result studies that show that they 
don’t know, that if you ask them what they think is happening and 
then you sit them down and tell them, they’re quite surprised by 
how much more is being collected. 

The Chairman. Wouldn’t it be your view, and maybe yours, too, 
Mr. Fowler, that the whole history — I mean, we do this with cram- 
ming and telephone companies, they all start out — I mean, United 
Healthcare has now announced grandly that they’re going to con- 
tinue many of their policies. 

Well, their policies happened to have created something called 
“Ingenix,” which would sort of sets the random market for how 
much healthcare costs all across the country. And they paid a $350 
million fine in New York State court, which is like admitting they 
were guilty. It’s a rather bad company. We’ve spent a lot of hear- 
ings and have spent a lot of time on them. 

In other words, they say they’re going to continue, but you know 
they’re not. It’s great PR. 

Companies say they’re going to crack down. Yes, they do for a pe- 
riod of time. But then as you indicated, at some point, it comes up 
against their own self-interest. And at that point, they usually 
crack, in my judgment. 

Mr. Swire, tell me why I’m either right or wrong on that, or if 
I’m close. 

Mr. Swire. Well, Senator, I’m in a hearing and you’re right. But 
seriously, the history has been that when you and the government 
are paying attention to these issues, and the press pays attention 
to these issues, that companies upgrade their efforts and pay more 
attention to enforcement. 

And then when some different issue becomes the center of atten- 
tion, these don’t get as much attention. And if you don’t 

The Chairman. And so answer that in terms of — what we’re talk- 
ing about is that you don’t sort of have an off and on switch. You 
do something called legislate “do not track.” 

Mr. Swire. And that’s what, for instance, has happened for 
CAN-SPAM and for the Children’s Online Privacy. The Federal 
Trade Commission got the ability to write rules and everybody got 
a right to comment on them. And both of those regimes have been 
pretty steady. Those haven’t been huge flashpoints. We have 



53 


COPPA. We have CAN-SPAM. They do what they do, and it’s been 
working reasonably well. 

The Chairman. Reasonably well. On the other hand, Facebook, 
which is, as I understand, a fairly profitable company, has a rule 
in which they say that no kid under the age of 13 can be allowed 
to expose themselves and, you know, all the bullying, sometimes 
leading to suicides, all kinds of things have happened. On the other 
hand, they don’t stop it. 

Mr. Swire. Well, then so that’s a reason to revisit things. That 
was a 1998 statute, and so then, periodically, you come back to 
these things, as you do in lots and lots of other issues. 

But if you don’t come back ever, then what we’ve seen is that the 
level of effort from industry really has fallen down in the periods 
when attention was elsewhere. 

The Chairman. Yes, sir? 

Mr. Fowler. So if I might add, I think from our perspective and 
as we look more into consumer values as it relates to personaliza- 
tion, interest-based ads, and so forth, I don’t think we’re at the 
point yet where we have the same kind of consumer or public back- 
lash that we’ve had with CAN-SPAM and Do Not Call. I think 
there’s still an opportunity here. 

And some research backs this up, that we have a polarized set 
of consumers on both ends that are very surprised and uncomfort- 
able by tracking online, and others who are very excited about en- 
gaging in personalized content and services. And we have a much 
larger, in fact, the bulk of the consumer market, that’s somewhere 
in the middle, and, ultimately, will decide based on the value they 
receive and how transparent those mechanisms are. 

So I think we’re at a point where the discussions that we’re hav- 
ing with the W3C, we have an opportunity to address this through 
technology and changes in industry practices that create more 
transparency. 

The Chairman. And then how would you handle the small-print 
problem? 

Mr. Fowler. Maybe if you could say a little bit more, so I under- 
stand exactly the nature of the question? 

The Chairman. You know, people don’t read it. 

Mr. Fowler. Oh, small print. OK. 

The Chairman. They don’t have the time to read it. And if they 
read it, they can’t understand it. 

Mr. Fowler. Right. In my written 

The Chairman. If they can see it. 

Mr. Fowler. Yes. In my written testimony, I talk about some of 
the failures related to the notice and choice model. Again, I feel 
that there is a lot of innovation that’s yet to happen. 

From a Mozilla perspective, we’re doing a lot of investment in 
mobile and application notices, looking at in-context notices, as op- 
posed to small print that the consumer has to find and try to un- 
derstand. 

The first time they start to interact with a new feature or they 
see a particular kind of behavior or conduct happening at a site is, 
from our perspective, an opportunity to reinforce what choices they 
have, how to configure the tools that are available to them, and 
what to ask for from the sites. 



54 


So I think that we still have more room for innovation. And I 
think there’s still opportunity to educate consumers. And hopefully, 
mobile and applications will give us a platform to really see some 
of that happen. 

The Chairman. This committee really works very hard on con- 
sumer protection. I mean, I’m very open about that. It used to be 
a little bit different. Now it’s very clear in its direction. 

So naturally, that colors the way we approach things. We really 
bear in on consumers. What are they capable of doing? What are 
they capable of understanding? What’s beyond their reach? What’s 
not fair? Et cetera, et cetera. 

And my sort of favorite example, which we’re actually working 
on quite hard, is moving companies. You decide to move, and you 
don’t particularly look — you just sign a piece paper that says that 
you accept their contract. But it’s kind of a low bid. And because 
you’re not wealthy, you take that low bid because, after all, fur- 
niture on a truck trucked to the next destination is not very hard. 
But what happens so often is that the trucks just stop halfway 
through and say, if you want your furniture, you’ve got to pay us 
another $2,000. 

That’s, Mr. Szoka, what I mean when I say that our concern is 
about consumers. 

You have to sometimes go a far piece to make sure that they get 
the help that they flat out deserve — their lives are far too miser- 
able and difficult these days to possibly figure out for themselves 
how to protect themselves. 

So it does become the role of government. It’s like children that 
are in extreme hunger. There are millions of them across this coun- 
try. Should the government stay away from that until the free mar- 
ket can sort it out? Or should the government actually say, no, this 
is something that is not good, this affects the way our future brains 
will develop and all the rest of that, and we do something about 
it. 

And we have a little bit of that bent in this committee, at least, 
on this side, a little less on the other side, but surprisingly on the 
other side, happily on the other side, also. 

So let me just thank you all for taking the time to come. 

Mr. Szoka, I was very rude to you, and I’ll write you a letter of 
apology, if you wish. I really will. 

Mr. Szoka. Could I just say one final thing, Senator? 

The Chairman. No. 

[Laughter.] 

The Chairman. And I’ll write a letter of apology for that, too. 

[Laughter.] 

The Chairman. But thank you for taking the time, very, very 
much. We’re all sort of focused on what the Supreme Court has 
just done, which you’re all aware of, right? 

So this hearing is adjourned. Thank you. 

[Whereupon, at 11:10 a.m., the hearing was adjourned.] 



APPENDIX 


Statement of Computes & Communications Industry Association 

Self-regulation is a vital part of consumer privacy protection, and the World Wide 
Web Consortium’s current work on a Do Not Track standard, along with the Digital 
Advertising Alliance’s agreement to honor a DNT header, are good examples of the 
power of this method. The Computer and Communications Industry is a 40 year- 
old international non-profit trade association dedicated to open markets, open sys- 
tems, and open networks. CCIA members participate in many sectors of the com- 
puter, information technology, and telecommunications industries and range in size 
from small entrepreneurial firms to some of the largest in the industry. CCIA mem- 
bers employ nearly half a million workers and generate approximately a quarter of 
a trillion dollars in annual revenue. 1 Our members produce web browsers, operate 
search engines and e-commerce websites, are Internet advertisers, and offer free 
web services of many kinds. 

Consumer choice regarding the use of personal data is of the utmost importance. 
Users should have the ability to opt-out of systems that impact their privacy if 
they’re uncomfortable. This is important not just for reasons of pure privacy protec- 
tion, but also because trust is so essential to the online marketplace. Users who 
don’t trust an online service have many other competitors to choose from and can 
always take their business to another, more privacy protecting, website. 

Do Not Track options are an important part of consumer choice. These options 
allow users to indicate their preferences with regard to online tracking through a 
simple browser mechanism that is easy to set, universal, and permanent. A broad 
coalition of advertisers, brought together by government acting as a convener has 
agreed to honor the Do Not Track header. The World Wide Web Consortium (W3C), 
a multi-stakeholder body responsible for Web-wide technical protocols, is in the 
process of developing the specifications that will underpin the DNT header. This 
past week the W3C conducted a number of days of meetings surrounding the DNT 
header, and made progress on some of the remaining issues. A few outstanding 
questions remain to be answered before the specification is finalized. 

As such, the W3C process is an example of a successful self-regulatory program. 
There are many different voices in the room there, each with strong opinions, but 
progress is being made and while the outcome is not yet certain, there is some con- 
fidence that an eventual agreement may be reached. There may be parties on all 
sides who are not entirely happy with the final result, but on the whole it will be 
a product of compromise and be a great step forward for privacy on the Internet. 

In a parallel self-regulatory effort, a group of advertisers has come together called 
the Digital Advertising Alliance (DAA). The DAA has worked with government con- 
veners to reach an agreement, backed by Section 5 of the FTC Act, to respect the 
DNT header. Self-regulation is alive and well in the tracking space, with companies, 
government, and civil society all collaborating to develop workable frameworks that 
protect users. 

CCIA has two areas in which we wish to highlight concerns about the Do Not 
Track conversation. While the ongoing W3C process is a positive one, there are still 
a few areas where uncertainty remains, and where a wrong decision could have un- 
intended consequences. By mentioning these areas, we hope to help avoid those con- 
sequences. 

First is the question of exceptions to Do Not Track. The setting of a Do Not Track 
header, while it is an important consumer protection tool, cannot be a universal sign 
that a user will never have some traces kept surrounding their use of websites. 
There are important business reasons to monitor customer use of websites that 
should not be preempted by a Do Not Track header. For example, a lot of users’ 
actions on websites are stored in order to combat fraud or cheating. Financial 


1 For a full CCIA member list, please see http: // www.ccianet.org / index.asp?bid=l 1 . 

(55) 



56 


websites as well as essentially any online merchant must keep track of a certain 
amount of information about visitors in order to protect the entirety of their users. 

For another example, the vast majority of websites anonymously track how users 
move around their own website in order to study their layout and usage statistics. 
We all reap the benefits of this tracking in the form of better website design and 
navigation, and website operators can improve their businesses by making sure visi- 
tors are finding the pages they need easily and quickly. This can be analogized to 
a retail store studying how anonymous visitors move through the store in order to 
decide if any changes need to be made to the layout of the products. 

The second important aspect of Do Not Track is in user education. Do Not Track’s 
focus is on the privacy implications of what can be collected on the Web while a 
user browses. That information is of course important to a user and should be a sub- 
ject of education without a doubt. The problem here stems from what is not being 
adequately explained to users, and that is the value that comes from anonymized 
data. Advertising targeted toward what a person likes and enjoys pays for a huge 
amount of content and services on the World Wide Web that are offered for free to 
users. Without that source of revenue, innovation in online services would be much 
harder to come by as the price of starting up a new service and gaining customers 
willing to pay would be drastically higher. 

Data isn’t just important for advertising purposes. Collecting large amounts of 
anonymized data can open up worlds of research that users are not aware of. A fa- 
mous example is Google’s Flu Trends, in computers analyze live queries coming 
from distinct geographical areas, highlighting people who are searching the Internet 
for flu symptoms. In this manner, Google can often predict flu outbreaks before even 
the Centers for Disease Control. Amazon and Netflix each do similar analysis when 
they help each of us find new books, movies, and music we might like, based on 
what thousands of other people have also enjoyed. This sort of data collection and 
analysis poses no real privacy threat, yet provides an invaluable public service. 

Users today, however, are not presented with this side of data collection and are 
making decisions about privacy protection without understand this inherent trade- 
off. If a user is fully educated and then makes a decision to remove herself from 
data ecosystem, that is a choice that should be respected, but the education must 
come first so that decision is informed. 


o 



